Access tester

ABSTRACT

The Access Tester allows an administrator, or any other authorized user, to determine who or what entities have access to a resource, whether a particular individual or set of individuals have access to a resource under certain conditions and whether the authorization rules associated with a resource operate as intended. In one embodiment, an administrator uses a graphical user interface to enter access information. Exemplar access information includes one or more URLs identifying the resource(s), one or more request methods, one or more IP addresses, date and time restrictions, and an identification of one or more users. The Access Tester determines whether the identified users are authorized to access the resource(s) associated with the URL(s) using the request methods, during the date and time provided.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the benefit of U.S. ProvisionalApplication No. 60/216,955, Web Access Management, filed Jul. 10, 2000,incorporated herein by reference.

[0002] This Application is related to the following Applications:

[0003] Cache Flushing, by Joshi, et al., Attorney Docket No.OBLX-01012US0, filed the same day as the present application;

[0004] Post Data Processing, by Knouse, et al., Attorney Docket No.OBLX-01013US0, filed the same day as the present application;

[0005] User Authentication, by Martherus, et al., Attorney Docket No.OBLX-01014US0, filed the same day as the present application;

[0006] Localized Access, by Ramamurthy, et al., Attorney Docket No.OBLX-01015US0, filed the same day as the present application;

[0007] Query String Processing, by Crosbie, et al., Attorney Docket No.OBLX-01016US0, filed the same day as the present application;

[0008] Logging Access System Events, by Joshi, et al., Attorney DocketNo. OBLX-01017US0, filed the same day as the present application;

[0009] Providing Data To Applications from an Access System, by Joshi,et al., Attorney Docket No. OBLX-01018US0, filed the same day as thepresent application; and

[0010] Intrusion Threat Detection, by Jeffrey D. Hodges, Attorney DocketNo. OBLX-01020US0, filed the same day as the present application.

[0011] Each of these related Applications are incorporated herein byreference.

BACKGROUND OF THE INVENTION

[0012] 1. Field of the Invention

[0013] The present invention is directed to technology for protectingresources available on network.

[0014] 2. Description of the Related Art

[0015] As the impact of the Internet continues to alter the economiclandscape, companies are experiencing a fundamental shift in how they dobusiness. Business processes involve complex interactions betweencompanies and their customers, suppliers, partners and employees. Forexample, businesses interact constantly with their customers—often otherbusinesses—to provide information on product specification andavailability. Businesses also interact with vendors and suppliers inplacing orders and obtaining payments. Businesses must also make a widearray of information and services available to their employeepopulations, generating further interactions.

[0016] To meet new challenges and leverage opportunities, while reducingtheir overall cost-of-interactions, many organizations are migrating tonetwork-based business processes and models. Among the most important ofthese is Internet-based E-business.

[0017] To effectively migrate their complex interactions to anInternet-based E-business environment, organizations must contend with awide array of challenges and issues. For example, businesses need tosecurely provide access to business applications and content to usersthey deem authorized. This implies that businesses need to be confidentthat unauthorized use is prevented. Often, this involves the nontrivial,ongoing task of attempting to tie together disparate, system-specificauthentication and/or authorization schemes.

[0018] E-business is also challenged with cohesively managing disparateend user, application, content, policy and administrative information.Historically, user and authorization information have been stored inapplication-specific formats and often on a per-application basis. It islabor intensive to maintain consistency across the disparaterepositories and, thus, the cost for user and policy administrationincrease as more application and content are added. Such an aggregatedsystem is difficult to replicate and scale. This can lead to operationalerrors, poor user experiences, and loss of confidence in the E-businessby all those concerned.

[0019] Another challenge facing E-business is how to scale theE-business over time. A successful E-business network, its applications,and content must be able to seamlessly scale from a modest flood ofrequests to a torrent. At the same time, it must be able to scaleadministratively. Increases in traffic, users, and content requireadditional administrative effort. To avoid bottlenecks, scaling must beaccomplished in a decentralized, delegated fashion. This includesincorporating associated portals seamlessly into the E-business network.Because E-businesses often accumulate various disparate systems, theyneed to offer a seamless experience to users and not unduly burdenadministrators.

[0020] To meet these challenges, an E-business host company needs a webaccess management solution that delivers the ability to effectivelysecure and manage all the various network-based interactions. A systemshould accommodate all participants involved with the E-business,whether they are local or remote. It must also be able to distinguishbetween the E-business' employees and all the users who are affiliatedwith the E-business host's customers, suppliers and/or partners.

[0021] In the past, various entities have offered identity managementsystems which store and manage identity information for users such ascompany employees, suppliers, etc. Additionally, access managementsystems have been available. These access management systems providemeans for authenticating users and authorizing users. However, theprevious access management systems do not include, or are not capable ofcommunicating with, a robust identity system. Those that couldcommunicate with an identity system did not take full advantage of theinformation stored and managed by the identity system.

[0022] Furthermore, previous access management systems have not fullyprovided for the increase in volume of users and content. In today'sbusiness climate, the quantity of content protected, the volume oftraffic and the number of users accessing the system is enormous. It isup to one or more administrators to provide access rules for the variouscontent. These access rules determine who can access what content. Asthe amount of content and the number of users increase dramatically,managing these rules becomes difficult. Because the rules are typicallygenerated by humans, it is easy for mistakes to occur. As the systemgrows, these mistakes multiply. Thus, there is a need for a means toverify control policies created for various content protected by anaccess management system before the policies are enforced.

SUMMARY OF THE INVENTION

[0023] The present invention, roughly described, provides for a systemthat allows for the assessment of coverage of access control criteria inan access management system by determining access results withoutgranting access to the resource. The present invention allows anadministrator, or any other authorized user, to determine who or whatentities have access to a resource, whether a particular individual orset of individuals have access to a resource under certain conditionsand whether the authorization rules associated with a resource operateas intended. In one embodiment, an administrator uses a graphical userinterface to enter access information. One example of access informationincludes all or some of the following: one or more URLs identifying theresource(s), one or more request methods, one or more IP addresses, dateand time restrictions, and an identification of one or more users.

[0024] The system of the present invention receives the accessinformation and tests whether the identified one or more resource areauthorized for use based on the access information. In one embodiment,this process includes determining whether the identified users areauthorized to access the identified resources at the identified date andtime, using the identified request methods. The results of the tests arereported to the administrator or other user.

[0025] In one embodiment, the process of testing whether a user isauthorized to access a resource includes accessing an identity profilefor that user and comparing the information in the identity profile toauthorization criteria. One example of authorization criteria is anauthorization rule. The present invention can use a defaultauthorization rule associated with a set of resources that includes theresource being tested or an authorization rule specific to theparticular resource being tested. In one implementation, the system usesthe identity of the resource, the request method, data and time tolocate an access control policy associated with the resource. The user'saccess is then determined based on the access control policy.

[0026] The present invention can be implemented using hardware,software, or a combination of both hardware and software. The softwareused for the present invention is stored on one or more processorreadable storage devices including hard disk drives, CD-ROMs, opticaldisks, floppy disks, tape drives, RAM, ROM or other suitable storagedevices. In alternative embodiments, some or all of the software can bereplaced by dedicated hardware including custom integrated circuits,gate arrays, FPGAs, PLDs, and special purpose computers. Hardware thatcan be used for the present invention includes computers, handhelddevices, telephones (e.g. cellular, Internet enabled, etc.), etc. Someof these devices includes processors, memory, nonvolatile storage, inputdevices and output devices.

[0027] These and other objects and advantages of the present inventionwill appear more clearly from the following description in which thepreferred embodiment of the invention has been set forth in conjunctionwith the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028]FIG. 1 is a block diagram depicting the components of oneembodiment of the present invention.

[0029]FIG. 2 is a block diagram depicting the components of thecomputing system that can be used with the present invention.

[0030]FIG. 3 is a block diagram depicting the components of a DirectoryServer.

[0031]FIG. 4 is an example of a directory tree structure.

[0032]FIG. 5 is a flow chart describing a process for setting up accessrules for an Identity Management System.

[0033]FIG. 6 is a flow chart describing a process for editing anattribute access criteria.

[0034]FIG. 7 is a flow chart describing a process for configuringlocalized access.

[0035]FIG. 8 is a flow chart describing a process for controlling accessto attributes in the Identity Management System.

[0036]FIG. 9 is a flow chart describing a process for determining accessto attributes of a target.

[0037]FIG. 10 is a flow chart describing a process for determiningwhether there is a localized access violation for a class.

[0038]FIG. 11 is a flow chart describing a process for determiningwhether there is localized access for an attribute.

[0039]FIG. 12 is a flow chart describing a process for modifying anattribute.

[0040]FIG. 13 is a flow chart describing the active automation process.

[0041]FIG. 14 is a block diagram depicting the components of a Web Gate.

[0042]FIG. 15 is a block diagram depicting the components of an AccessServer.

[0043]FIG. 16 is a flow chart describing a process for creating a policydomain.

[0044]FIG. 17 is a flow chart describing a process for adding anauthorization rule.

[0045]FIG. 18 is a flow chart describing a process for adding headervariables to an HTTP request.

[0046]FIG. 19 is a flow chart describing a process for adding anauthentication rule.

[0047]FIG. 20 is a flow chart describing a process for configuring anaudit rule.

[0048]FIG. 21 is a flow chart describing a process for creating apolicy.

[0049]FIG. 22 is a flow chart describing an exemplar process performedby the Access System of one embodiment of the present invention.

[0050]FIG. 23 is a flow chart describing a process for determiningwhether a particular resource is protected.

[0051]FIG. 24 is a flow chart describing a process for mapping aresource with a policy domain.

[0052]FIG. 25 is a flow chart describing a process for retrieving firstand second level authentication rules.

[0053]FIG. 26 is a flow chart describing a process for determiningwhether a resource URL matches a specific policy URL.

[0054]FIG. 26A is a flow chart describing a process for determiningwhether a resource matches a specific policy using POST data.

[0055]FIG. 27 provides a block diagram of a retainer data structure.

[0056]FIG. 28 is a flow chart describing authentication.

[0057]FIG. 29 is a block diagram depicting various components involvedin the authentication process.

[0058]FIG. 30 is a flow chart describing a process for authentication.

[0059]FIG. 31 is a flow chart describing a process for retrieving anauthentication challenge scheme from a Directory Server.

[0060]FIG. 32 is a flow chart describing a method for performing basicauthentication.

[0061]FIG. 33 is a flow chart describing the process performed by anAccess Server to authenticate using a user ID and password.

[0062]FIG. 34 is a flow chart describing form authentication.

[0063]FIG. 35 is a flow chart describing a process for clientcertificate authentication.

[0064]FIG. 36 is a flow chart describing a process for authenticating auser using certificates.

[0065]FIG. 37 is a block diagram depicting the components of oneembodiment of an encrypted cookie.

[0066]FIG. 38 is a flowchart describing a process for authorization.

[0067]FIG. 39 is a flow chart describing the steps performed whenpassing authorization information using POST data.

[0068]FIG. 40 is a block diagram of an exemplar HTTP request.

[0069]FIG. 41 is a flow chart describing a process for obtaining firstand second level authorization rules from a Directory Server.

[0070]FIG. 42 is a flow chart describing a process for evaluating anauthorization rule.

[0071]FIG. 43 is a flow chart describing a process for applying anauthorization rule to extracted POST data.

[0072]FIG. 44 is a flow chart describing a process for performingauthentication success actions.

[0073]FIG. 45 is a flow chart describing a process for performingauthentication and authorization failure actions.

[0074]FIG. 46 is a flow chart describing a process for performingauthorization success actions.

[0075]FIG. 47 is a flow chart describing a process for using headervariables.

[0076]FIG. 48 is a flow chart describing the steps performed by theauditing module of one embodiment of the present invention.

[0077]FIG. 49 is a flow chart describing a method for retrieving firstand second level audit rules.

[0078]FIG. 50 is a block diagram depicting one embodiment of componentsused for intrusion detection.

[0079]FIG. 51 is a flow chart describing a process for detectingintrusions.

[0080]FIG. 52 is a flow chart describing a process performed at asecurity server as part of a process for detecting intrusions.

[0081]FIG. 53 is a flow chart describing a process forflushing/synchronizing caches performed by an Access Manager.

[0082]FIG. 54 is a block diagram depicting a synchronization record.

[0083]FIG. 55 is a flow chart describing a process forflushing/synchronizing caches performed by an Access Server.

[0084]FIG. 56 is a flow chart describing a process forflushing/synchronizing caches performed by a Web Gate.

[0085]FIG. 57 is a flow chart describing a process for testing accesscriteria.

DETAILED DESCRIPTION

[0086]FIG. 1 depicts an Access System which provides identity managementand access management for a network. In general, an Access Systemmanages access to resources available to a network. The identitymanagement portion of the Access System (hereinafter “the IdentityManagement System”) manages end user identity profiles, while the accessmanagement portion of the Access System (hereinafter “the AccessManagement System”) provides security for resources across one or moreweb servers. Underlying these modules is active automation, a delegationand work flow technology. The active automation technology couples theIdentity and Access Management Systems by facilitating delegation ofroles and rights, plus providing workflow-enabled management of end useridentity profiles. A key feature of one embodiment of this system is thecentralization of the repositories for policies and user identityprofiles while decentralizing their administration. That is, oneembodiment of the system centralizes the policy and identityrepositories by building them on a directory service technology. Thesystem decentralizes their administration by hierarchly delegatedAdministrative roles. Although the Access System of FIG. 1 includes anIdentity Management System and an Access Management System, other AccessSystems may only include an Identity Management System or only includean Access Management System.

[0087]FIG. 1 is a block diagram depicting one embodiment for deployingan Access System. FIG. 1 shows web browsers 12 and 14 accessing WebServer 18 and/or Administration Server 20 via Internet 16. In oneembodiment, web browsers 12 and 14 are standard web browsers known inthe art running on any suitable type of computer. FIG. 1 depicts webbrowsers 12 and 14 communicating with Web Server 24 and AdministrationServer 20 using HTTP over the Internet; however, other protocols andnetworks can also be used.

[0088] Web Server 18 is a standard Web Server known in the art andprovides an end user with access to various resources via Internet 16.In one embodiment, there is a first firewall (not shown) connectedbetween Internet 16 and Web Server 18, a second firewall (not shown)connected between Web Server 18 and Access Server 34.

[0089]FIG. 1 shows two types of resources: resource 22 and resource 24.Resource 22 is external to Web Server 18 but can be accessed through WebServer 18. Resource 24 is located on Web Server 18. A resource can beanything that is possible to address with a uniform resource locator(URL see RFC 1738). A resource can include a web page, softwareapplication, file, database, directory, a data unit, etc. In oneembodiment, a resource is anything accessible to a user on a network.The network could be the Internet, a LAN, a WAN, or any other type ofnetwork. Table 1, below, provides examples of resources and at least aportion of their respective URL syntax: Resource URL Encoding Directory/Sales/ HTML Page /Sales/Collateral/index.html CGI Script with no query/cgi-bin/testscript.cgi CGI Script with query/cgi_bin/testscript.cgi?button=on Application /apps/myapp.exe

[0090] A URL includes two main components: a protocol identifier and aresource name separated from the protocol identifier by a colon and twoforward slashes. The protocol identifier indicates the name of theprotocol to be used to fetch the resource. Examples includes HTTTP, FTP,Gopher, File and News. The resource name is the complete address to theresource. The format of the resource name depends on the protocol. ForHTTP, the resource name includes a host name, a file name, a port number(optional) and a reference (optional). The host name is the name of themachine on which the resource resides. The file name is the path name tothe file on the machine. The port number is the number of the port towhich to connect. A reference is a named anchor within a resource thatusually identifies a specific location within a file. Consider thefollowing URL: “http://www.oblix.com/oblix/sales/index.html.” The string“http” is the protocol identifier. The string “www.oblix.com” is thehost name. The string “/oblix/sales/index.html” is the file name.

[0091] A complete path, or a cropped portion thereof, is called a URLprefix. In the URL above, the string “/oblix/sales/index.html” is a URLprefix and the string “/oblix” is also a URL prefix. The portion of theURL to the right of the host name and to the left of a query string(e.g. to the left of a question mark, if there is a query string) iscalled the absolute path. In the URL above, “/oblix/sales/index.html” isthe absolute path. A URL can also include query data, which is typicallyinformation following a question mark. For example, in the URL:

[0092] http://www.oblix.com/oblix/sales/index.html?user=smith&dept=salesthe query data is “user=smith&dept=sales.” Although the discussionherein refers to URLs to identify a resource, other identifiers can alsobe used within the spirit of the present invention.

[0093]FIG. 1 shows Web Server 18 including Web Gate 28, which is asoftware module. In one embodiment, Web Gate 28 is a plug-in to WebServer 18. Web Gate 28 communicates with Access Server 34. Access Server34 communicates with Directory Server 36.

[0094] Administration Server 20 is a web-enabled server. In oneembodiment, Administration Server 20 includes Web Gate 30. Otherembodiments of Administration Server 20 do not include Web Gate 30.Administration Server 20 also includes other software modules, includingUser Manager 38, Access Manager 40, and System Console 42. DirectoryServer 36 is in communication with User Manager 38, Access Manager 40,System Console 42, and Access Server 34. Access Manager 40 is also incommunication with Access Server 34.

[0095] The system of FIG. 1 is scalable in that there can be many WebServers (with Web Gates), many Access Servers, and multipleAdministration Servers. In one embodiment, Directory Server 36 is anLDAP Directory Server and communicates with other servers/modules usingLDAP over SSL. In other embodiments, Directory Server 36 can implementother protocols or can be other types of data repositories.

[0096] The Access Management System includes Access Server 34, Web Gate28, Web Gate 30 (if enabled), and Access Manager 40. Access Server 34provides authentication, authorization, and auditing (logging) services.It further provides for identity profiles to be used across multipledomains and Web Servers from a single web-based authentication(sign-on). Web Gate 28 acts as an interface between Web Server 18 andAccess Server 34. Web Gate 28 intercepts requests from users forresources 22 and 24, and authorizes them via Access Server 34. AccessServer 34 is able to provide centralized authentication, authorization,and auditing services for resources hosted on or available to Web Server18 and other Web Servers.

[0097] Access Manager 40 allows administrators access to manage multipleresources across an enterprise and to delegate policy administration tothe persons closest to specific business applications and content. Inone embodiment, administrators perform these tasks using an intuitivegraphical user interface (“GUI”).

[0098] User Manager 38 provides a user interface for administrators touse, establish and/or manage identity profiles. An identity profile(also called a user profile or user identity profile) is a set ofinformation associated with a particular user. The data elements of theidentity profile are called attributes. In one embodiment, an attributemay include a name, value and access criteria. In one embodiment, anidentity profile stores the following attributes: first name, middlename, last name, title, email address, telephone number, fax number,mobile telephone number, pager number, pager email address,identification of work facility, building number, floor number, mailingaddress, room number, mail stop, manager, direct reports, administrator,organization that the user works for, department number, department URL,skills, projects currently working on, past projects, home telephone,home address, birthday, previous employers and anything else desired tobe stored by an administrator. Other information can also be stored. Inother embodiments, less or more than the above-listed information isstored.

[0099] System Console 42 provides a GUI for administrators to performvarious tasks such as managing Administration roles, managing varioussystem wide settings, and configuring the Identity and Access ManagementSystems. System Console 42 can be used to manage groups (optional) anddeparting users, reclaim unused resources, manage logging, configureparameters for authentication, configure parameters for authorization,and so on. Additionally, System Console 42 can be used to configure userschemes and control access to certain Identity Management Systemcapabilities (such as “new user,” “deactivate user,” “workflow,” and soon).

[0100] The system of FIG. 1 is used to protect a web site, network,Intranet, Extranet, etc. To understand how the system of FIG. 1 protectsa web site (or other structure), it is important to understand theoperation of unprotected web sites. In a typical unprotected web site,end users cause their browsers to send a request to a Web Server. Therequest is usually an HTTP request which includes a URL. The Web Serverthen translates, or maps, the URL into a file system's name space andlocates the matching resource. The resource is then returned to thebrowser.

[0101] With the system of FIG. 1 deployed, Web Server 18 (enabled by WebGate 28, Access Server 34, and Directory Server 36) can make informeddecisions based on default and/or specific rules about whether to returnrequested resources to an end user. The rules are evaluated based on theend user's profile, which is managed by the Identity Management System.In one embodiment of the present invention, the general method proceedsas follows. An end user enters a URL or an identification of a requestedresource residing in a protected policy domain. The user's browser sendsthe URL as part of an HTTP request to Web Server 18. Web Gate 28intercepts the request. If the end user has not already beenauthenticated, Web Gate 28 causes Web Server 18 to issue a challenge tothe browser for log-on information. The received log-on information isthen passed back to Web Server 18 and on to Web Gate 28. Web Gate 28 inturn makes an authentication request to Access Server 34, whichdetermines whether the user's supplied log-on information is authenticor not. Access Server 34 performs the authentication by accessingattributes of the user's profile and the resource's authenticationcriteria stored on Directory Server 36. If the user's supplied log-oninformation satisfies the authentication criteria, the process flows asdescribed below; otherwise, the end user is notified that access to therequested resource is denied and the process halts. After authenticatingthe user, Web Gate 28 queries Access Server 34 about whether the user isauthorized to access the resource requested. Access Server 34 in turnqueries Directory Server 36 for the appropriate authorization criteriafor the requested resource. Access Server 34 retrieves the authorizationcriteria for the resource and, based on that authorization criteria,Access Server 34 answers Web Gate 28's authorization query. If the useris authorized, the user is granted access to the resource; otherwise,the user's request is denied. Various alternatives to the abovedescribed flow are also within the spirit and scope of the presentinvention.

[0102] In one embodiment, the system of FIG. 1 includes means forproviding and managing identity profiles, and means for defining andmanaging authentication and authorization policies. In oneimplementation, user identity and authentication/authorizationinformation is administered through delegable Administration roles.Certain users are assigned to Administration roles, thus conferring tothem the rights and responsibilities of managing policy and/or useridentities in specific portions of the directory and web name spaces.The capability to delegate Administration duties enables a site to scaleadministratively by empowering those closest to the sources of policyand user information with the ability to manage that information.

[0103] A role is a function or position performed by a person in anorganization. An administrator is one type of role. In one embodiment,there are at least five different types of administrators: SystemAdministrator, Master Access Administrator, Delegated AccessAdministrator, Master Identity Administrator, and Delegated IdentityAdministrator. A System Administrator serves as a super user and isauthorized to configure the system deployment itself and can manage anyaspect of the system.

[0104] A Master Access Administrator is assigned by the systemadministrator and is authorized to configure the Access ManagementSystem. The Master Access Administrator can define and configure WebGates, Access Servers, authentication parameters, and policy domains. Inaddition, Master Access Administrators can assign individuals toDelegated Access Administrator roles. A Delegated Access Administratoris authorized to create, delete and/or update policies within theirassigned policy domain (described below), and create new policy domainssubordinate to their assigned policy domains. A Delegated AccessAdministrator may also confer these rights to others. A Master IdentityAdministrator, assigned by the System Administrator, is authorized toconfigure the Identity Management System, including defining andconfiguring end user identities and attributes, per attribute accesscontrol, who may perform new user and deactivate (revocation) userfunctions. Master Identity Administrators may also designate individualsto Delegate Identity Administrator roles. A Delegated IdentityAdministrator is selectively authorized to perform new user anddeactivate user functions.

[0105] A policy domain is a logical grouping of Web Server host ID's,host names, URL prefixes, and rules. Host names and URL prefixes specifythe course-grain portion of the web name space a given policy domainprotects. Rules specify the conditions in which access to requestedresources is allowed or denied, and to which end users these conditionsapply. Policy domains contain two levels of rules: first level defaultrules and second level rules contained in policies. First level defaultrules apply to any resource in a policy domain not associated with apolicy.

[0106] A policy is a grouping of a URL pattern, resource type, operationtype (such as a request method), and policy rules. These policy rulesare the second level rules described above. There are two levels ofrules available (first and second levels) for authentication,authorization, and auditing. Policies are always attached to a policydomain and specify the fine-grain portion of a web name space that apolicy protects. In practice, the host names and URL prefixes from thepolicy domain the policy belongs to are logically concatenated with thepolicy's URL pattern and the resulting overall patterns compared to theincoming URL. If there is a match, then the policy's various rules areevaluated to determine whether the request should be allowed or denied;if there is not a match, then default policy domain rules are used.

[0107]FIG. 2 illustrates a high level block diagram of a computer systemwhich can be used for the components of the present invention. Thecomputer system of FIG. 2 includes a processor unit 50 and main memory52. Processor unit 50 may contain a single microprocessor, or maycontain a plurality of microprocessors for configuring the computersystem as a multi-processor system. Main memory 52 stores, in part,instructions and data for execution by processor unit 50. If the systemof the present invention is wholly or partially implemented in software,main memory 52 can store the executable code when in operation. Mainmemory 52 may include banks of dynamic random access memory (DRAM) aswell as high speed cache memory.

[0108] The system of FIG. 2 further includes a mass storage device 54,peripheral device(s) 56, user input device(s) 60, portable storagemedium drive(s) 62, a graphics subsystem 64 and an output display 66.For purposes of simplicity, the components shown in FIG. 1 are depictedas being connected via a single bus 68. However, the components may beconnected through one or more data transport means. For example,processor unit 50 and main memory 52 may be connected via a localmicroprocessor bus, and the mass storage device 54, peripheral device(s)56, portable storage medium drive(s) 62, and graphics subsystem 64 maybe connected via one or more input/output (I/O) buses. Mass storagedevice 54, which may be implemented with a magnetic disk drive or anoptical disk drive, is a non-volatile storage device for storing dataand instructions for use by processor unit 50. In one embodiment, massstorage device 54 stores the system software for implementing thepresent invention for purposes of loading to main memory 52.

[0109] Portable storage medium drive 62 operates in conjunction with aportable non-volatile storage medium, such as a floppy disk, to inputand output data and code to and from the computer system of FIG. 2. Inone embodiment, the system software for implementing the presentinvention is stored on such a portable medium, and is input to thecomputer system via the portable storage medium drive 62. Peripheraldevice(s) 56 may include any type of computer support device, such as aninput/output (I/O) interface, to add additional functionality to thecomputer system. For example, peripheral device(s) 56 may include anetwork interface for connecting the computer system to a network, amodem, a router, etc.

[0110] User input device(s) 60 provide a portion of a user interface.User input device(s) 60 may include an alpha-numeric keypad forinputting alpha-numeric and other information, or a pointing device,such as a mouse, a trackball, stylus, or cursor direction keys. In orderto display textual and graphical information, the computer system ofFIG. 2 includes graphics subsystem 64 and output display 66. Outputdisplay 66 may include a cathode ray tube (CRT) display, liquid crystaldisplay (LCD) or other suitable display device. Graphics subsystem 64receives textual and graphical information, and processes theinformation for output to display 66. Additionally, the system of FIG. 2includes output devices 58. Examples of suitable output devices includespeakers, printers, network interfaces, monitors, etc.

[0111] The components contained in the computer system of FIG. 2 arethose typically found in computer systems suitable for use with thepresent invention, and are intended to represent a broad category ofsuch computer components that are well known in the art. Thus, thecomputer system of FIG. 2 can be a personal computer, workstation,server, minicomputer, mainframe computer, or any other computing device.The computer can also include different bus configurations, networkedplatforms, multi-processor platforms, etc. Various operating systems canbe used including Unix, Linux, Windows, Macintosh OS, Palm OS, and othersuitable operating systems.

[0112]FIG. 3 is a block diagram of Directory Server 36. Directory Server36 stores user identity profiles 102. Each identity profile includes aset of attributes for the particular end users. Group information 104 isalso stored, which describes logical relationships and groupings ofusers having identity profiles 102 stored on Directory Server 36. Aplurality of policies 106, each of which is associated with a policydomain as described above, are also stored on Directory Server 36.Revoked user list 108 identifies users previously (but no longer)allowed access to resources on their system. Shared secret(s) 110 arekeys stored on Directory Server 36 used for encrypting cookies set onbrowsers 12 or 14 after a successful user authentication. Sharedsecret(s) (keys) 110 can change as often as desired by an administrator.In one embodiment of the present invention, previously valid keys are“grandfathered” such that both a current key and an immediately priorkey will de-crypt encrypted cookies. Global sequence number (GSN) 112 isa unique number stored on Directory Server 36 which is assigned to apolicy domain change (first level default rules) or policy change(second level resource-specific rules) and updated in response tosubsequent policy changes for cache flushing purposes. In one embodimentof the present invention, the GSN is incremented to the next sequentialnumber after detection of a policy domain or policy change. Userattribute list 114 is a list of user identity profile attributes used bycached authentication and authorization rules.

[0113]FIG. 4 depicts an exemplar directory tree that can be stored onDirectory Server 36. Each node on the tree is an entry in the directorystructure. Node 130 is the highest node on the tree and represents anentity responsible for the directory structure. In one example, anentity may set up an Extranet and grant Extranet access to manydifferent companies. The entity setting up the Extranet is node 130.Each of the companies with Extranet access would have a node at a levelbelow node 130. For example, company A (node 132) and company B (node134) are directly below node 130. Each company may be broken up intoorganizations. The organizations could be departments in the company orlogical groups to help manage the users. For example, FIG. 4 showscompany A broken up into two organizations: organization A with node 136and organization B with node 138. Company B is shown to be broken upinto two organizations: organization C with node 140 and organization Dwith node 142. FIG. 4 shows organization A having two end users:employee 1 with node 150 and employee 2 with node 152. Organization B isshown with two end users: employee 3 with node 154 and employee 4 withnode 156. Organization C is shown with two end users: employee 5 withnode 158 and employee 6 with node 160. Organization D is shown with twoend users: employee 7 with node 162 and employee 8 with node 164.

[0114] Each node depicted in FIG. 4 can include one or more identityprofiles stored in Directory Server 36. In one embodiment, there aredifferent types of object-oriented classes for storing information foreach identity profile. One exemplar class pertains to entities such asentity 130, company A (node 133), and company B (node 134). A secondexemplar class stores information about organizational units such asorganization A (node 136), organization B (node 138), organization C(node 140), and organization D (node 142). In one embodiment, each ofthe organizations are departments in a company and each of the users areemployees who work for that particular organization. A third exemplarclass is for individual persons such as employee 1 (node 150), employee2, (node 152), . . . employee 8 (node 164). Although the directory treeis depicted as having three levels, more or less than three levels canbe used.

[0115] In a typical use of the Identity Management System shown in FIG.4, a source from the Identity Management System attempts to access atarget in the Identity Management System. For example, employee 1 (node150) may seek to access the profile for employee 4 (node 156). Thus,node 150 is the source and node 156 is the target. For efficiencypurposes, one embodiment stores access information at the target and atthe highest level for targets with common access rules. In some cases,access information is stored at a higher level even if a lower leveldoes not include common access rules.

[0116]FIG. 5 is a flow chart describing the process for setting up anidentity profile by an administrator having authority to do so. In step200, the administrator selects the object class to be used for thedirectory entry or entries being created. As previously described, thereare at least three classes: organization, organizational unit, and user.In step 200, the master identity administrator selects which class is tobe used for the entry. After the object class is selected in step 200,all possible attributes for the particular class appear on a graphicaluser interface (GUI) (step 202). In step 204, the administrator selectsone of the attributes. In step 206, the master identity administratoredits the access criteria for the attribute. In step 210, it isdetermined whether there are any more attributes to consider. If so, themethod loops back to step 204. Otherwise, the process of FIG. 5 iscompleted (step 214).

[0117]FIG. 6 is a flow chart describing step 206 of FIG. 5, editingaccess criteria for an attribute. In step 230, the administrator selectswhere in the tree structure of FIG. 4 to store the access informationfor the particular attribute under consideration. For example, if theadministrator is setting up an identity profile for employee 2 (node152) of FIG. 4, attribute access information can be stored at node 152,node 136, node 132, or node 130. In step 230, it is determined which oneof those available nodes will store the information. In step 232, thepermissions to modify the attribute are set up using a policy. A policycan identify person(s) who can modify the attribute. The policy canidentify a set of people by identifying a role, by identifying a rulefor identifying people, by identifying one or more people directly byname, or by identifying a named group. In step 236, permissions are setup to determine who can view the attributes. The Identity ManagementSystem policy determines which users can view identity profileattributes by defining a role, defining a rule, identifying persons byname, or listing an identified group. In one embodiment, the rulementioned above is an LDAP rule. In step 238 (an optional step), theability to edit the permissions are delegated to others. In step 240, anotify list is set up. The notify list identifies a set of zero or morepersons who are notified (e.g. by email) when the attribute is modified.

[0118] In one embodiment, the Identity Management System includes alocalized access feature. This feature restricts certain user's accessto identity profiles within a defined locale. For example, if an entitysets up an Extranet similar to the tree of FIG. 4, and allows two of itssuppliers (e.g. company A and company B) to access the Extranet, companyA may not want employees from company B to access identity profiles foremployees of company A. In accordance with the present invention, a setof identity profiles can be defined as a locale. Users outside thelocale can be restricted from accessing identity profiles inside thelocale. Alternatively, users outside the locale can be restricted fromaccessing certain attributes of identity profiles inside the locale. Thelocalized access feature can be used to prevent any nodes, includingnode 132 and any nodes below node 132, from accessing node 134 and anynode below node 134. The localized access feature can be used at otherlevels of granularity and/or at other levels of the organizationalhierarchy. For example, users below node 136 can be blocked fromaccessing profiles below node 138, node 140, node 142, node 134, etc.

[0119]FIG. 7 is a flow chart describing the process for configuringlocalized access. In step 262, a localized access parameter for theentire system of FIG. 1 is set. This parameter turns on the localizedaccess function. In step 266 of FIG. 7, a class attribute can be set forlocalized access. Each identity profile has a set of attributes. One ofthose attributes is designated as the class attribute. The classattribute is used to identify the identity profile. A reference to aparticular identity profile is a reference (or pointer) to the classattribute for the identity profile. The class attribute can beconfigured for localized access by setting up a localized access filterthat identifies the locale. If the source of a request is in a differentlocale than the locale defined for the class attribute, then the sourceis denied access to the target. The localized access filter can be anabsolute test such as “Company=Acme” or the filter can name anotherattribute (called a domain attribute). If the filter names a domainattribute (e.g. company attribute, address attribute, last nameattribute, organization attribute, etc. ), then the filter is satisfiedif the named attribute for source matches the named attribute for thetarget. For example, if the domain attribute named for the classattribute is “Company Name,” than a source can only access a target ifthe company name for the source is the same as the company name for thetarget. Using a domain attribute, rather than hard coding the criteria,is more dynamic because it depends on the run-time relationship of thesource and target. In one embodiment, multiple domain attributes can beused to define the locale. Users whose domain attributes are equal, arein the same locale. A user can be a member of multiple locales.

[0120] In step 268, individual attributes for a profile can beconfigured for localized access. That is, some attributes in an identityprofile can be configured for localized access, while other attributesare not. Each attribute can be provided with a localized access filterthat identifies the locale for that attribute. The localized accessfilter can include an absolute test, an LDAP test or one or more domainattributes. In one embodiment, individual attributes are not configuredin step 268 if the class attribute for the profile has already been set.It is possible to configure the class attribute for localized access andnot configure the other attributes for localized access. Similarly, insome embodiments it is possible to not configure the class attribute forlocalized access while configuring the other attributes for localizedaccess.

[0121] In one embodiment, when a source seeks to access a particularattribute in a target, the system first checks to see if the localizedaccess filter for the class attribute of the target is satisfied. If itis not satisfied, then access is denied. If it is satisfied, then thesystem first checks to see if the localized access filter for theparticular attribute of the target is satisfied. If it is or it is notconfigured for localized access, then access can be granted. If thelocalized access filter for the particular attribute of the target isnot satisfied, access to the particular attribute is denied. In summary,the localized access filter for the class attribute determines access tothe entire identity profile, while the localized access filter for aspecific attribute (other than the class attribute) determines access tothe specific attribute. After the steps of FIG. 7 are completed, theprofiles (or portions of profiles) that have been set for localizedaccess can only be accessed by those within the same locale.

[0122]FIG. 8 is a flow chart describing the process for accessing datain the Identity Management System. The data can be accessed for viewing,modifying, etc. As described above, the entity attempting to access aprofile in the Identity Management System is the source and the profilebeing accessed is the target. In step 290, the source user's browsersends a request to access attributes of a target directory entry. Instep 292, the request is received by User Manager 38. In step 294, UserManager 38 accesses the target profile and the source profile onDirectory Server 36. In step 296, User Manager 38, based on theattribute settings created or modified by the process of FIG. 5 and(possibly) the source profile, determines whether the source should haveaccess to each of the different attributes of the target profile. Thisstep is discussed in further detail below. In step 298, User Manager 38passes the information for the attributes that access is allowed for tothe source's browser. In step 300, the attributes that the source mayview are displayed on the source's browser.

[0123]FIG. 9 is a flow chart describing the process of step 296 of FIG.8, determining whether the source should have access to the variousattributes of the target. In step 320, the system determines whether alocalized access violation for the class attribute has occurred. Alocalized access violation is found when the target's class attribute isconfigured for localized access and the source is not in the locale forthe target. If there is a localized access violation, the method of FIG.9 is done (step 344) and none of the attributes for the target may beaccessed by the source. For example, if the source is employee 1 (node150 of FIG. 4), the target is employee 8 (node 164 of FIG. 4), and allof company B is subject to localized access with a domain attribute setas “company ” (in one embodiment the actual syntax is %company%) alocalized access violation will be found in step 320.

[0124] If no localized access violation is found in step 320, then oneof the attributes for the target is selected in step 322 and UserManager 38 determines whether the access information for that selectedattribute is at the current level in the tree. The first time step 324is performed, the current level in the tree is the level of the target.As previously explained, access information can be stored at thetarget's node or nodes above the target. If the access information isnot found at the current level, then in step 340, it is determinedwhether the system is inquiring at the top level of the directorystructure (e.g. node 130 of FIG. 4). If the system is at the top level,then the system determines whether all attributes have been evaluated instep 332. If all attributes have been evaluated, then the process ofFIG. 9 is done (step 348). If all attributes have not been evaluated,then the system accesses the initial level again in step 334 and loopsback to step 322. If in step 340, it is determined that the system isnot at the top level, then the system moves up one level (step 342) andloops back to step 324.

[0125] While in step 324, if the access information for the attribute isat the current level being considered, then in step 326 it is determinedwhether there is a local access violation for the attribute underconsideration. If the particular attribute being considered wasconfigured for localized access and the source is not in the relevantlocale for the target, then a localized access violation occurs and themethod of FIG. 9 is done (step 346). It will be appreciated thatlocalized access can apply to entire profiles or only certain portions(certain attributes) of profiles. If the attribute under considerationwas not configured for localized access, then there is no localizedaccess violation for the attribute under consideration. If there is nolocalized access violation for the attribute under consideration, thenthe identity profile for the source is applied to any additional accesscriteria to see whether the source should have access to the target'sattribute. If the criteria is met, access is granted in step 330 and themethod loops to step 332. At the end of the process of FIG. 9, a sourcewill be granted access to zero or more attributes. Step 300 of FIG. 8displays only those attributes for which the source has been grantedaccess.

[0126]FIG. 10 is a flow chart describing the process of step 320 in FIG.9, determining whether a localized access violation has occurred for aclass attribute. In step 360, the Identity Management System determineswhether the localized access parameter is set. If not, there is nolocalized access violation. If so, then in step 364, the systemdetermines whether a class attribute is configured for localized access.If the class attribute is not configured for localized access, there isno local access violation (step 362). If the class attribute isconfigured for localized access, then in step 366 it is determinedwhether the localized access filter is satisfied (e.g. does the domainattribute for the target must match the domain attribute for thesource?). If the localized access filter is satisfied, no localizedaccess violation occurs (step 362). If the localized access filter isnot satisfied, then a localized access violation exists and accessshould be denied (step 368).

[0127]FIG. 11 is a flow chart describing the process performed in step326 of FIG. 9, determining whether there is a localized access violationfor a particular attribute. In step 380, it is determined whether alocalized access parameter is set. If not, thee is no localized accessviolation (step 382). Otherwise, in step 384, it is determined whetherthe particular attribute is configured for localized access. If theparticular attribute is not configured for localized access, then thereis no localized access violation (step 382). If the particular attributeis configured for localized access, then in step 386 it is determinedwhether the localized access filter for the attribute underconsideration is satisfied. If the localized access filter is satisfied,then there is no localized access violation (step 382). If the localizedaccess filter is not satisfied, then there is a localized accessviolation and access should be denied (step 388).

[0128]FIG. 12 is a flow chart describing the process of how a sourceuser can modify an attribute of a target profile. In step 410, thesource user attempts to modify an attribute. For example, in oneembodiment the source user is provided a GUI which depicts the directorytree. The source user can select any node in the directory tree andclick on a button to modify a target profile. Alternatively, the sourceuser can type in a URL, distinguished name, or other identifyinginformation for the target. Once presented with a target profile (e.g.the process of FIG. 8), the user selects a particular attribute andattempts to modify it by selecting a modify button on the GUI. Thisrequest to modify is sent to User Manager 38. In step 412, User Manager38 searches for the modify criteria for the attribute in the targetdirectory. This modify criteria is the information set up in step 232 ofFIG. 6. User Manager 38 searches in the current target directory. If thecriteria is not found in the current directory being accessed (see step414), then it is determined whether the system is at the top of thedirectory tree structure (step 416). If not, then the system moves upone level in step 418. If the top of the directory structure is reached,then the source user is not allowed to modify the attribute (step 420).In step 422, User Manager 38 searches for the modify criteria in a newdirectory. After step 422, the method loops back to step 414. If in step414, it is determined that the criteria was found at the current levelbeing considered, then in step 430, the User Manager evaluates thecriteria against the target user's identity profile. If the identityprofile for the target user satisfies the criteria for modifying theattribute (step 432) then the source user is allowed to modify theattribute (step 434). Otherwise, the source user is not allowed tomodify the attribute (step 420).

[0129]FIG. 13 is a flow chart describing a process for automating theupdating of identity profiles when a source user requesting the updateis not allowed to modify the target profile. In one embodiment, thesource user is the person identified by the target profile. In step 450,the source user requests modification of the target profile. This can bea request to modify any or all of the attributes for the target profile(e.g. address, telephone number, creation of the profile, deletion ofthe profile, etc.). In step 452, it is determined whether the targetprofile is protected. It is possible to set all attributes such that anysource entity can modify the attributes In such a configuration; theprofile is not protected. If the target profile is not protected, then,in step 454, the target profile is modified as per the source user'srequest. If the target profile is protected, then in step 456, the UserManager 38 issues an electronic message (“ticket”) sent to a responsibleparty requesting that the modification be made. The responsible party isa person granted access to modify a particular attribute and has theresponsibility for doing so. In step 458, the ticket appears in aservice queue accessible by the responsible party. The service queue canbe a directory which stores all tickets or can be any database which isused to store the tickets. The responsible party may access a GUI whichindicates all tickets in the service queue, the date they were received,and what service is requested. In step 460, the requesting source usercan view whether a ticket has been serviced. In step 462, the ticket isfully serviced, partially serviced or denied by the responsible party.If the ticket is serviced, then the target will be modified. However,the target will not be modified if the ticket is denied. After thetarget is modified (or purposely not modified) and a ticket is respondedto, the ticket is removed from the service queue in step 464. In anoptional embodiment, the source is automatically notified that theticket is removed from the service queue and notified of the result ofthe request.

[0130]FIG. 14 provides a block diagram of Web Gate 28. In oneembodiment, Web Gate 28 is a Web Server plug-in running on Web Server18. In another embodiment, Web Gate 28 is an NSAPI Web Server plug-in.In another embodiment, Web Gate 28 is an ISAPI Web Server plug-in. Instill a further embodiment, Web Gate 28 is an Apache Web Server plug-in.In another embodiment, a plurality of Web Gates conforming to differentplug-in formats are distributed among multiple Web Servers.

[0131] Resource cache 502 caches authentication information forindividual resources. The information stored in resource cache 502includes: request method, URL, retainer 505, and audit mask 503. In oneembodiment of the present invention, audit mask 503 is a four bit datastructure with separate bits identifying whether authentication and/orauthorization successes and/or failures are audited (logged) for a givenresource.

[0132] Authentication scheme cache 506 stores authentication schemeinformation, including information necessary for the performance of eachdifferent authentication challenge scheme. For example, if theauthentication scheme ID parameter of a resource cache 502 entryreferences a “client certificate” authentication scheme, then theauthentication scheme ID parameter of the entry would reference anauthentication scheme cache 506 entry (keyed by the authenticationchallenge method ID). In one embodiment, authentication scheme cachestores redirect URL, authentication challenge method ID (identifying anauthentication challenge method), challenge parameters forauthentication and authentication level. Web Gate 28 also stores themost recent global sequence number 510 received from Access Server 34pursuant to a cache flushing operation, as further described below.

[0133] Event manager 514 calls redirection event handler 504, resourceprotected event handler 508, authentication event handler 512, orauthorization event handler 516 to perform redirection, a resourceprotected method, an authentication method, or an authorization method(all further described herein), respectively. Redirection event handler504 redirects browser 12 or 14 in response to redirection eventsinitiated by Access Server 34 or other components of Web Gate 28.Resource protected event handler 508 performs steps in a method fordetermining whether a requested resource falls protected within a policydomain. Authentication event handler 512 performs steps in a method forauthenticating a user of browser 12 or 14 upon a finding that arequested resource is protected. Authorization event handler 516performs steps in a method for determining whether a user of browser 12or 14 is authorized to access a requested resource upon a successfulauthentication or receipt of a valid authentication cookie, furtherdescribed herein. Sync record table 518 identifies all existingsynchronization records not yet processed by Web Gate 28 as furtherdescribed herein.

[0134]FIG. 15 provides a block diagram of Access Server 34.Authentication module 540 is provided for carrying out steps in a methodfor authenticating a user as further described herein. Authorizationmodule 542 is provided for carrying out steps in a method forauthorizing a user to access a requested resource as further describedherein. Auditing module 544 carries out steps in a method for auditing(logging) successful and/or unsuccessful authentications and/orauthorizations as further described herein. Audit logs 546 storeinformation logged by auditing module 544 in accordance with the presentinvention. Audit logs sensors 548 include one or more sensors thatmonitor the audit logs for certain types of events. Synchronizationrecords 550 are stored on Access Server 34 in accordance with a methodfor flushing caches as further described herein.

[0135] Access Server 34 stores the most recent global sequence number554 received from Access Manager 40 pursuant to a cache flushingoperation. URL prefix cache 564 stores the URL prefixes associated withpolicy domains that are protected by the Access Management System. URLprefix cache 564 facilitates the mapping of requested resources topolicy domains, as further described herein. URL prefix cache 564 isloaded from Directory Server 36 upon initialization of Access Server 34.

[0136] Policy domain cache 566 caches all default authentication rulesof each policy domain in accordance with the present invention. Policydomain cache further stores an array of rules 565 listing all defaultand resource-specific rules associated with resources in a given policydomain. Each rule entry in array 565 includes the ID of the rule andcompiled information about the URL pattern (resource) to which the ruleapplies. Array 565 enables Access Server 34 to quickly find the firstlevel default authentication, authorization, and auditing rules for agiven policy domain, as well as second level rules (authentication,authorization, and auditing rules) associated with particular policiesin the policy domain.

[0137] Authentication scheme cache 568 caches information necessary forthe performance of different authentication challenge methods assimilarly described above for authentication scheme cache 506 of WebGate 28. Authentication rule cache 570 caches second levelauthentication rules associated with policies. The rules inauthentication rule cache 570 are listed in array 565. Upon determiningthat a second level authentication rule exists and learning its ID (bylooking in array 565), Access Server 34 can easily find the second levelauthentication rule in authentication rule cache 570. The second levelrules are the rules associated with policies, discussed above.

[0138] Authorization rule cache 572 caches first level defaultauthorization rules as well as second level authorization rules. Therules in authorization rule cache 572 are listed in array 565. Upondetermining that a first or second level authorization rule exists andlearning its ID (by looking in array 565), Access Server 34 can easilyfind the applicable authorization rule for a given resource inauthorization rule cache 572.

[0139] Audit rule cache 574 caches first level default audit rules aswell as second level audit rules. The rules in audit rule cache 574 arelisted in array 565. Upon determining that a first or second level auditrule exists and learning its ID (by looking in array 565), Access Server34 can easily find the applicable audit rule for a given resource inaudit rule cache 574.

[0140] User profile cache 576 stores identity profile attributespreviously used in authentications, authorization, or audit steps, inaccordance with the present invention. User policy cache 578 stores thesuccessful and unsuccessful authorization results for specific usersrequesting specific resources governed by authorization rules based onan LDAP filter or a group membership. User policy cache 578 allowsAccess Server 34 to quickly recall a user's authorization if the userhas recently accessed the resource.

[0141]FIG. 16 is a flow chart which describes the process of creating apolicy domain. In step 600, System Console 42 (or Access Manager 40)receives a request to create a policy domain. In step 602, the name ofthe policy domain and the description of the policy name are stored. Instep 604, one or more URL prefixes are added to the policy domain. Instep 605, one or more host ID's are added to the policy domain(optional). Next, one or more access rules are added to the policydomain. An access rule is a rule about accessing a resource. Examples ofaccess rules include authorization rules, authentication rules, auditingrules, and other rules which are used during the process or attemptingto access a resource. In step 606, a first level (default)authentication rule is added to the policy domain. In general,authentication is the process of verifying the identity of the user.Authentication rules specify the challenge method by which end usersrequesting access to a resource in the policy domain must prove theiridentity (authentication). As previously discussed, first level(default) authentication rules apply to all resources in a policydomain, while second level authentication rules are associated withpolicies that apply to subsets of resources or specific resources in thepolicy domain. In one embodiment, there is only one defaultauthentication rule for a policy domain. If an administrator desires anauthentication rule to apply to only a specific resource in the policydomain, a separate policy for that specific resource having a secondlevel (specific) authentication rule should be defined, as discussedbelow. After setting up the authentication rule in step 606, one or morefirst level or default authorization rules are added to the policydomain in step 608. In general, an authorization rule determines who canaccess a resource. The default authorization rule allows or denies usersaccess to resources within its applicable policy domain. If multipleauthorization rules are created, then they are evaluated in an orderspecified in step 610. In step 612, a first level (default) audit ruleis configured for the policy domain. In step 614, zero or more policiesare added to the policy domain. In step 616, the data for the policydomain is stored in Directory Server 36 and appropriate caches(optional) are updated. In one embodiment, an authorization rule or anauthentication rule can be set up to take no action. That is, alwaysgrant authentication without any challenge or verification; or alwaysgrant authorization without any verification.

[0142]FIG. 17 is a flow chart describing the process of adding one ormore authorization rules to a policy domain (step 608 of FIG. 16). Instep 632, timing conditions are set up for the authorization rule.Timing conditions restrict the time when the authorization rule is ineffect. For example, users can be allowed access to URLs in the policydomain only during business hours, Monday through Friday. In oneembodiment, if timing conditions are not set, the authorization rule isalways in effect. The timing conditions include selecting a start date,an end date, selecting a start time and an end time, selecting themonths of the year, selecting the days of the month, and selecting thedays of the week that the rule is valid. In steps 634 and 636,authorization actions are set up. Authorization actions personalize theend user's interaction with the Web Server. In step 634, headervariables are provided for authorization success events andauthorization failure events. This feature allows for the passing ofheader variables about the end user (or other information) to otherweb-enabled resources. Web-enabled applications can personalize the enduser's interaction with the Web Server using these header variables. Asa simple example, the actions could supply each application with theuser's name. An application could then greet the user with the message“hello<user's name>” whenever the user logs on. Header variables arevariables that are part of an HTTP request. FIG. 40 below illustratesthe format of an HTTP request that includes header variables 1554. If anauthorization rule is set up with header variables as part of anauthorization success action, then when a successful authorizationoccurs the HTTP request to the resource will include the headervariables. Similarly, if there are header variables for an authorizationfailure, then an authorization failure event will include adding headervariables to the HTTP request that redirects a browser to anauthorization failure web page. The resources identified by the HTTPrequests, that include the header variables can use the header variablesany way desired. In one embodiment of the method of FIG. 17, one or moregroups can be specified for authorization to the resource(s).

[0143]FIG. 18 is a flow chart that describes the process of addingheader variables to an HTTP request (see step 634 of FIG. 17). Headervariables can be added during an authorization success event,authorization failure event, authentication success event orauthentication failure event. In step 650, the variable name is entered.In step 652, a text string is entered. In step 654, one or more LDAPattributes are entered. In step 656, it is determined whether any moreheader variables will be added. If not, the method of FIG. 18 is done(step 658). If so, the method of FIG. 18 loops back to step 650.

[0144] The variable name entered in step 650 is a value that appears inthe HTTP header that names the variable. The downstream resource usingthe header variable will search for the variable name. The stringentered is data that can be used by the downstream resource. The LDAPattribute(s) can be one or more attributes from the requesting user'sidentity profile. Thus, in the simple authorization success exampledescribed above, the variable name field can include “authorizationsuccess,” the return field can include “yes,” and the attribute fieldcan include the name attribute for the user in the user's identityprofile. Any of the attributes from the user's identity profile can beselected as a header variable.

[0145] Looking back at FIG. 17, in step 636, are direct URL can be addedfor an authorization success event and a redirect URL can be entered foran authorization failure event. Step 638 includes specifying which usersare allowed to access the resource associated with the authorizationrule. By default, users cannot access a resource until they are grantedaccess rights to it. In one embodiment, there are at least four meansfor specifying who can access a resource. The first means is toexplicitly name a set of users who can access the resource. A secondmeans includes identifying user roles. The third means is to enter anLDAP rule that can be used to identify a set of users based on acombination of one or more attributes. A fourth means is to enter an IPaddress which will allow users of computers having the specified IPaddress to access the resource. Step 640 is used to specify the usersnot allowed to access the resource associated with this rule.Identification of users, roles, LDAP rules, and IP addresses are enteredin step 640 in the same manner as entered in step 638. It is possiblethat a particular user can be subject to both an allow access rule and adeny access rule. Step 642 is used to set a priority between such rules.Optional step 644 is used to define any POST data to be used forauthorization if this feature is implemented. An HTTP POST request caninclude POST data in the body of the HTTP request (see FIG. 40 below).POST data can also be submitted in query string form. One embodiment ofthe present invention allows POST data to be used for authorizationpurposes. In optional step 644, an administrator defines which POST datais to be used for authorization purposes. If POST data is to be used forauthorization, in order for an authorization rule to be satisfied, thePOST request must include all the appropriate POST data and values forthat POST data as defined in step 644. However, it will be understoodthat POST data need not be used for authorization in all embodiments ofthe present invention. Step 646 is used to set a priority of evaluationfor the authorization rule relative to other authorization rules in agiven policy. In one embodiment, if multiple authorization rules applyto a resource, this priority determines the order of evaluation.

[0146]FIG. 19 is a flow chart describing the process for adding anauthentication rule (see step 606 of FIG. 16). In step 670, a challengescheme (also called an authentication scheme) is selected. Anauthentication scheme is a method for requesting log-on information(e.g. name and password) from end users trying to access a web resource.Within an authentication scheme is a challenge method (e.g. Basic,certificate or form). There can be more than one authentication schemewith the same challenge method (e.g. Basic over LDAP, Basic over NTDomain, . . . ). Various other authentication schemes can also be used.In step 672, header variables are added for authentication success andauthentication failure events. In step 674, redirect URLs are added forauthentication success events and authentication failure events.

[0147]FIG. 20 provides a flow chart depicting the process forconfiguring an audit rule (see step 612 of FIG. 16). In step 680, theevents to trigger an audit are selected. In one embodiment,authentication success, authentication failure, authorization successand authorization failure can be selected for auditing. In step 682, theinformation to be logged is selected for each particular eventidentified in step 680. The information logged can include informationabout the event and/or user attributes from the identity profile for theuser requesting the authentication or authorization.

[0148]FIG. 21 is a flow chart describing the process of adding a policy(see step 614 of FIG. 16). In step 718, a resource type is specified.The resource type allows different resources to be handled by differentpolicies, depending on the nature of the resource itself. For example,in one embodiment, the resource type will distinguish between resourcesaccessed using HTTP and resources accessed using FTP. In anotherembodiment, Enterprise Java Beans (EJBs) are a possible resource type.In another embodiment, user-defined custom resource types are supported.In step 720, an operation type is specified. This allows differentresources to be handled by different policies, depending on theoperations used to request the resource. In one embodiment, theoperations will be HTTP requests. Supported HTTP request methods includeGET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT, and OTHER. Inanother embodiment, if EJBs are identified as the resource type (step718), an EXECUTE operation can be specified in step 720. In anotherembodiment, user-defined custom operations are supported. In step 722, apattern for the URL path to which the policy applies is specified. Thisis the part of URL that does not include the scheme (“http”) andhost/domain (“www.oblix.com”), and appears before a ‘?’ character in theURL. In step 724, a query string is specified. This is a set ofvariables and values that must be included in the specified order in anincoming URL for the policy to match and be activated. For example, inthe URL “HTTP://www.zoo.com/animals.cgi?uid=maneaters&tigers=2” thevalues after the question mark (e.g. “uid=maneaters&tigers=2”) comprisea query string. Only a URL exhibiting the query string can match to thispolicy. For example, a URL with the “tigers” variable appearing beforethe “uid” variable will not match the above-identified policy. In step726, query string variables are added. Query string variables include aname of a variable and the variable's corresponding value. Query stringvariables are used when it is a desirable that multiple variables arefound in the query string, but the order is unimportant. Thus, for apolicy with query string variables “uid=maneaters” and “tigers=2,” a URLwith a query string having the appropriate uid and appropriate tigersvariable, in any order, will match the policy. In order for a resourceURL to apply to a policy, the path of the requested resource URL mustmatch the path of the policy as well as any query string or queryvariables. As discussed above, POST data can be submitted in querystring form (for example, in a form submission), and evaluated using thequery string variables entered in step 726.

[0149] The query string or query variables specified in the steps ofFIG. 21 do not need to uniquely identify a resource. Rather, they areused to identify a policy, which may apply to one or more resources.

[0150] Typically, the query data is added to a URL to access certaindata from a resource. However, the query data can be used in the URL toidentify the resource. Each application or resource is free to use thequery data in any way that is in agreement with standards and normsknown in the art.

[0151] In step 728 of FIG. 21, the authentication rule is created inaccordance with the method of FIG. 19. In step 730, one or moreauthorization rules are created for the policy in accordance with themethod of FIG. 17. In step 732, an audit rule for the policy isconfigured in accordance with the method of FIG. 20. In step 734, POSTdata (optional) is added to the policy. This POST data is used to mapresources with policies.

[0152] The present invention supports the use of multiple authenticationschemes. An authentication scheme comprises an authentication level, achallenge method, an SSL assertion parameter, a challenge redirectparameter, and authentication plug-ins. The authentication levelrepresents an arbitrary designation of the level of confidence that anadministrator has in a particular authentication scheme relative toother authentication schemes.

[0153] In one embodiment of the present invention, an authenticationscheme can specify one of four challenge methods: none, basic, form, andX.509. If an authentication scheme's challenge method is set to “none,”no authentication is required to access a requested resource, thusallowing support for unauthenticated users. This challenge method can beused over both unsecured as well as SSL connections. The “basic”challenge method can also be used over both unsecured and SSLconnections. The “X.509” challenge method can only be used over an SSLconnection between a user's browser and Web Server host, because theauthentication method invoked for an X509 challenge method is part ofthe SSL protocol. A “form” challenge method employs a custom,site-specific HTML form presented to the user, who enters informationand submits the form. Subsequent processing is determined by theadministrator at the time the authentication scheme is created. Formchallenge methods can be used over both unsecured and SSL connections.

[0154] The SSL parameter of an authentication scheme identifies whetherSSL is to be asserted on the connection to the user's browser by the WebServer. The challenge parameter identifies where to redirect a requestfor authentication for the particular authentication scheme.Authentication plug-ins are necessary for processing the user's suppliedinformation. Authentication plug-ins can interface with Access Server 34through an authentication API.

[0155] An authentication scheme that an attacker can easily andprofitability eavesdrop upon is typically considered “weak.” In oneembodiment, the basic authentication challenge method places the user'scredential (supplied information), a simple password, “in the clear”over an unsecured network connection. However, the authentication schemecan be made stronger by passing the user's credential over an encryptedconnection, such as SSL. In one embodiment, given two authenticationschemes (one with and one without SSL), an access administrator willassign the authentication scheme without SSL to a lower authenticationlevel than the authentication using SSL.

[0156] When a user first request a protected resource, the user ischallenged according to the authentication scheme defined by the firstlevel authentication rule in the applicable policy domain or the secondlevel authentication rule in the applicable policy associated with therequested resource. If the user satisfies the authentication rule, anencrypted authentication cookie is passed to the user's browserindicating a successful authentication. Once authenticated, the user mayrequest a second resource protected by a different policy domain and/orpolicy with a different authentication rule. The user will be allowedaccess to the second resource without re-authenticating if theauthentication level of the authentication scheme used to successfullyauthenticate for the first resource is equal to or greater than theauthentication level of the authentication scheme of the secondresource. Otherwise, the user is challenged and asked to re-authenticatefor the second resource in accordance with the second resource's higherlevel authentication scheme. Satisfaction of a higher or lowerauthentication level is determined by evaluating the authenticationcookie sent by the user's browser when requesting the second resource.In one embodiment of the present invention, administrators can define anunlimited number of authentication levels.

[0157] Once authenticated, a user can explicitly log out, causingauthentication cookies cached (or otherwise stored) by the user'sbrowser to be destroyed or become invalid. Authentication cookies canalso be set by an administrator to be destroyed after a maximum idletime has elapsed between requests to resources protected in accordancewith the present invention.

[0158]FIG. 22 provides a flow chart for one embodiment of a method forauthenticating, authorizing, and logging. In step 750, a user's browser12 requests a web-enabled resource 22 or 24. The request is interceptedby Web Gate 28 in step 752. The method then determines whether therequested resource is protected by an authentication and/orauthorization rule in step 753. If the resource is not protected, thenaccess is granted to the requested resource in step 795. If therequested resource is protected however, the method proceeds to step754. If the user has previously authenticated for a protected resourcein the same domain, a valid authentication cookie will be passed bybrowser 12 with the request in step 750 and intercepted by Web Gate instep 752. If a valid cookie is received (step 754), the method attemptsto authorize the user in step 756. If no valid authorization cookie isreceived (step 754), the method attempts to authenticate the user forthe requested resource (step 760).

[0159] If the user successfully authenticates for the requested resource(step 762), then the method proceeds to step 774. Otherwise, theunsuccessful authentication is logged in step 764. After step 764, thesystem then performs authentication failure actions and Web Gate 28denies the user access to the requested resource in step 766. In step774, the successful authentication of the user for the resource islogged. The method then performs authentication success actions in step766. In response to the successful authentication, Web Gate 28 thenpasses a valid authentication cookie to browser 12 in step 780 which isstored by browser 12. After passing the cookie in step 780, the systemattempts to authorize in step 756.

[0160] In step 756, the method attempts to determine whether the user isauthorized to access the requested resource. If the user is authorized(step 790), the method proceeds to step 792. Otherwise, the unsuccessfulauthorization is logged in step 796. After step 796, the method performsauthorization failure actions (step 798) and Web Gate 28 denies the useraccess to the requested resource. If authorization is successful (step790), then the successful authorization of the user is logged in step792, authorization success actions are performed in step 794, and theuser is granted access to the requested resource in step 795. In oneembodiment of step 795, some or all of HTTP request information isprovided to the resource.

[0161]FIG. 23 provides a flow chart of a method for determining whethera requested resource is protected (see step 753 of FIG. 22). In oneembodiment, the steps of FIG. 23 are performed by resource protectedevent handler 508 and Access Server 34. In step 830, Web Gate 28determines whether an entry for the requested resource is found inresource cache 502. If an entry is found, the cache entry is examined instep 842 to determine whether the cache entry indicates that theresource is protected (step 832) or unprotected (step 840). If an entryfor the requested resource is not found in resource cache 502, then WebGate 28 passes the URL of the requested resource request method toAccess Server 34 instep 833. Access Server 34 attempts to map therequested resource to a policy domain using URL prefix cache 564 (step836).

[0162] If mapping step 836 is unsuccessful (step 838), then therequested resource is deemed to be unprotected (step 840). However, if asuccessful mapping has occurred (step 838), then Access Server 34retrieves the authentication rule (step 844) and audit rule (step 846)associated with the requested resource. Access Server 34 then passes theauthentication scheme ID from the authentication rule, audit mask 503,retainer 505 and any POST data received to Web Gate 28 in step 848. WebGate 28 caches the authentication scheme ID from the authenticationrule, audit mask 503, retainer 505 and POST data in resource cache 502(step 850). Since the requested resource was successfully mapped to apolicy domain in step 836, the resource is deemed protected (step 832).

[0163]FIG. 24 is a flow chart describing the process for mapping aresource to a policy domain (see step 836 of FIG. 23). In step 900,Access Server 34 receives the URL of the requested resource from WebGate 28. Access Server 34 then compares a URL prefix of the requestedresource with entries in URL prefix cache 564 in step 902. In oneembodiment, when step 902 is called for the first time in FIG. 24, theURL prefix of the requested resource equals the file name. Thus, if theURL of the requested resource reads:“http://www.oblix.com/oblix/sales/index.html” then the URL prefix firstcompared by step 902 will be: “/oblix/sales/index.html.” If a matchingURL prefix is found (step 904), Access Server 34 proceeds to step 916.

[0164] In step 916, Access Server 34 determines whether the policydomain associated with the matching URL prefix calls for one or morehost ID's. In one embodiment, resources are mapped to certain policydomains if the port number of a resource request and the location of theresource itself conform to one or more host ID's. Thus, multiple policydomains can be associated with identical URL prefixes, each policydomain requiring different host ID's (or none at all). If the policydomain considered in step 916 requires a matching host ID, then AccessServer 34 proceeds to step 917. Otherwise, Access Server 34 proceedsdirectly to step 906 where the requested resource is mapped to thepolicy domain associated with the currently considered URL prefix. Instep 917, if a matching host ID is found, Access Server 34 proceeds tostep 906. If no matching host ID is found, Access Server 34 returns tostep 904 where it determines whether additional matching URL prefixesexist.

[0165] If no matching URL prefix is found in step 904, then AccessServer 34 proceeds to step 908. In step 908, Access Server 34 crops theright-most term from the resource URL prefix compared in step 902. Thus,if the resource URL prefix compared in step 902 reads:“/oblix/sales/index.html” then the resource URL prefix will be croppedin step 908 to read: “/oblix/sales.” If the entire resource URL prefixhas been cropped in step 908 such that no additional terms remain (step910), then the method proceeds to step 912 where Access Server 34concludes that there is no policy domain associated with the requestedresource. However, if one or more additional terms remain in theresource URL prefix, then the method returns to step 902 where thecropped URL prefix is compared with URL prefixes cached in URL prefixcache 564.

[0166] As will be apparent from FIG. 24, the method recurses throughsteps 902, 904, 908, and 910 until either a match is found (step 904) orthe entire resource URL prefix has been cropped (step 910). In any case,the method of FIG. 24 will inevitably return either a successful mapping(step 906) or no mapping (step 912).

[0167]FIG. 25 provides a flow chart describing a method for loading anauthentication rule (see step 844 of FIG. 23). In step 930, AccessServer 34 loads the first level (default) authentication rule for thepolicy domain mapped in step 836 of FIG. 23 from Directory Server 36into authentication rule cache 570. In one embodiment, success andfailure actions are part of all authentication and authorization rules.In one embodiment, Access Manager 40 maintains a user attribute list 114on Directory Server 36. User attribute list 114 identifies all userattributes used by authentication and authorization actions loaded intoauthentication rule cache 570 and authorization rule cache 572. In thisstep, Access Server 34 also builds array 565 (previously describedabove) and loads it into policy domain cache 566. Array 565 includes allsecond level rules and patterns associated with each of the policies forthe policy domain. Access Server 34 then selects a second level rule inarray 565 (step 931). The selected second level rule is part of apolicy. In step 932, Access Server 34 performs a pattern matching method(further described below) for determining whether the rule applies tothe requested resource. If so, then Access Server 34 proceeds to step935; otherwise, Access Server 34 determines whether all rules in array565 have been evaluated (step 933). If, in step 933, it is determinedthat not all of the rules in the array have been evaluated, then AccessServer 34 selects the next rule in array 565 (step 934) and returns tostep 932. Once all rules in array 565 have been considered (step 933),the first level authentication rule previously loaded in step 930 isreturned as the authentication rule, no second level authentication ruleis loaded into authentication rule cache 570, and the method of FIG. 25is done (step 937). If an associated policy was found in step 932, thenauthentication module 540 caches the second level authentication ruleand success and failure actions for the rule in authentication rulecache 570 (step 935), returns that second level authentication rule(step 936), and the method is done (step 937).

[0168]FIG. 26 is a flow chart describing a method for determiningwhether a policy is associated with a resource (see step 932 of FIG.25). A policy URL can contain the following three types of patterns. Allthree types of patterns were referenced in FIG. 21:

[0169] 1. Pattern on the path of the URL: This is the part of URL thatdoes not include the scheme (“http”) and host/domain (“www.oblix.com”),and appears before a ‘?’ character in the URL. In the example URL:

[0170] http://www.oblix.com/oblix/sales/index.html?user=J.Smith&dept=engg the absolute path is “/oblix/sales/index.html.”

[0171] 2. Pattern on name value pairs in the URL: This may be a set ofpatterns. They apply to query data (data appearing after the ‘?’character in the URL when operation is GET, or the POST data ifoperation is POST) and are configured as name (no pattern allowed) plusa pattern or value. For example: variable name pattern user *Smith dept*sales*

[0172] If multiple name value pairs are specified, they all must matchto the incoming resource URL. So the URL:

[0173] http://www.oblix.com/oblix/sales/index.html?user=J.Smith&dept=engg will not match this pattern set. This pattern does notinclude a notion of order to these name-value pairs. A URL:

[0174] http://www.oblix.com/oblix/sales/index.html?dept=sales&user=J.Smith (with reverse order of “dept” and “user”) will also satisfy thispattern. This is important because it is usually difficult to controlthe order of name value pairs in GET/ POST query data.

[0175] 3. Pattern on the entire query string: This is useful when anadministrator desires to enforce an order on the query string. Forexample, a pattern “user=*Smith*sales” will match query string “user=J.Smith&dept=sales.”

[0176] A policy can contain one or more of above types of patterns. Ifmultiple patterns are specified in one policy, they ALL must match tothe incoming resource URL. If not, that policy doesn't apply to theincoming resource URL.

[0177] Patterns used for one embodiment of the current invention can usethe following special characters:

[0178] 1. ?: Matches any one character other than ‘/’. For example,“a?b”matches “aab” and “azb” but not “a/b.”

[0179] 2. *: Matches any sequence of zero or more characters. Does notmatch ‘/’. For example, “a*b” matches “ab,” “azb,” and “azzzzzzb but not“a/b.”

[0180] 3. [“set”]: Matches one from a set of characters. “set” can bespecified as a series of literal characters or as a range of characters.A range of characters is any two characters (including ‘-’) with a ‘-’between them. ‘/’ is not a valid character to include in a set. A set ofcharacters will not match ‘/’ even if a range which includes ‘/’ isspecified. Examples includes: “[nd]” matches only “n” or “d”; “[m-x]”matches any character between “m” and “x” inclusive; “[--b]” matches anycharacter between “-” and “b” inclusive (except for “/”); “[abf-n]”matches “a,” “b,” and any character between “f” and “n” inclusive; and“[a-f-n]” matches any character between “a” and “f” inclusive, “-,” or“n.” The second “-” is interpreted literally because the “f” precedingit is already part of a range.

[0181] 4. {“pattern1,” “pattern2,” . . . }: Matches one from a set ofpatterns. The patterns inside the braces may themselves include anyother special characters except for braces (sets of patterns may not benested). Examples includes: “a{ab,bc}b” matches “aabb” and “abcb”;“a{x*y,y?x}b” matches “axyb,” “axabayb,” “ayaxb,” etc.

[0182] 5. “/ . . . /”: Matches any sequence of one or more charactersthat starts and ends with the ‘/’0 character. Examples includes: “/ . .. /index.html” matches “/index.html,” “/oblix/index.html,” and“/oblix/sales/index.html,” but not “index.html,” “xyzindex.html,” or“xyz/index.html”; and “/oblix/ . . . /*.html” matches“/oblix/index.html,” “/oblix/sales/order.html,” etc.

[0183] 6. “\”: Any character preceded by a backslash matches itself.Backslash is used to turn off special treatment of special characters.Examples include “abc\*d” only matches “abc*d”; and “abc\\d” onlymatches “abc\d.”

[0184] To increase the speed of pattern matching, the system tries to dosome work up front. When Access Server 34 loads a pattern in its cache,it creates an object. This object's constructor “compiles” the pattern.This compiling is essentially building a simple state machine from onepattern to other, i.e., it creates a chain of “glob nodes.” Each globnode consists of either one pattern or a node set. For example, considerpattern:

[0185] / . . . /abc*pqr{uv,xy*}.

[0186] The chain would look like:

[0187] node(“/ . . ./”)→node(“abc”)→node(“*”)→node(“pqr”)→nodeset(node(“uv”),(node(“xy”)→node(“*”)))

[0188] Once the chain is constructed, it is used to match a resource URLto the pattern. Each node or node set in this chain takes a pointer to astring, walks it and decides if it matches the pattern held by the node.In doing so, it also moves this pointer further up in the string. Forexample, when the server gets a URL “/1/3/abcdepqrxyz,” the system takesthis string and starts walking the chain. Below is an example ofevaluation at each node/node set and pointer (*p) in the string. Notethat the original string is not modified. To begin with lets assume thatthe pointer points to the beginning of the string:*p→“/1/3/abcdepqrxyz.”: Step 1: node(“/.../”) ---> MATCHES ---> advance*p -> “abcdepqrxyz.” Step 2: node(“abc”) ---> MATCHES ---> advance *p ->“depqrxyz.” Step 3: node(“*”) ---> *matches everything except specialcharacters ( unescaped ’?,’ ’*,’ ’[,’ ’],’ ’{,’ ’},’ ’/’), so at thispoint, the system tries matching to the next node, node(“pqr”) likethis: a) does *p->“depqrxyz” match node (“pqr”)? NO,advance *p ->“epqrxyz.” b) does *p->“epqrxyz” match node (“pqr”)? NO,advance *p ->“pqrxyz.“ c) does *p->“pqrxyz” match node (“pqr”)? YES,advance *p->“xyz.” If we walked to the end of string and didn't find a “pqr” (forexample in case of URL ‘’/1/3/abcdefgh”) there is no match.

[0189] Step 4: nodeset(node(“uv”), (node(“xy”)→node(“*”))):A nodesetwill match incoming string (in the example, *p→“xyz”) to one of setmembers. In this case “xyz” does not match “uv,” but it does match“xy*.” So there is a MATCH and *p→\0.’

[0190] Step 5: The pointer is at the end of the string. So the match issuccessful. At any point, if the system finds a node that does not matchits string, the system stops processing and concludes that the stringdoes not match the pattern. For example, a URL “/1/3/dddddd” will clearstep 1 above, but will fail step2, so the matching stops after step 2.

[0191] Referring to FIG. 26, in step 940, Access Server 34 retrieves thepolicy information from policy domain cache 566. The policy informationcan include one or more of the following: a URL absolute path, a querystring, and zero or more query variables. In step 941, Access Server 34determines whether requested resource matches the policy resource type(see FIG. 21). If the resource type does not match, Access Server 34skips to step 952. However, if the resource type does match, AccessServer 34 proceeds to step 942. In step 942, Access Server 34 determineswhether the operation used to request the resource matches policyoperation type (see FIG. 21). If the operation type does not match,Access Server 34 skips to step 952. If the operation type does match,Access Server 34 proceeds to step 943.

[0192] In step 943, the policy URL absolute path, query variables, andquery strings are broken up into various nodes, as described above. Instep 944, the various nodes are stored. Access Server 34 accesses therequested resource URL in step 946. In step 948, the first node of thepolicy URL is considered by Access Server 34. In step 950, Access Server34 considers whether the considered node matches the resource URL, asdescribed above. If the first node does not match, then the entirepolicy will not match (step 952). If the node does match the resourceURL, or if there are no nodes for the policy, then in step 954 it isdetermined whether there are any more nodes to consider. If more nodesremain to be considered, then in step 956 the next node is consideredand the method loops back to step 950. If there are no more nodes (step954), the query string for the policy is compared to the query string ofthe resource URL in step 958. If the query string for the policy exactlymatches the query string for the resource URL, or if there is no querystring for the policy, then the method continues with step 960. If thequery string for the policy does not match the query string for theresource URL, then the resource URL does not match and is not associatedwith the policy (step 952).

[0193] In step 960, it is determined whether there are any queryvariables (see FIG. 21) to consider that have not already beenconsidered. If there are query variables to consider, then the nextquery variable is accessed in step 964. The accessed query variable issearched for in the resource URL in step 965. If the query variable isfound in the resource URL and the value for the query variable matchesthe stored value query variable in for the policy (step 966), then themethod continues at step 960; otherwise, Access Server 34 proceeds tostep 967. The purpose of steps 960, 964, 965, and 966 is to determinewhether each of the query variables (and associated values) defined fora policy are found, in any order, in the resource URL. If all of thequery variables are in the URL with the appropriate values, than thereis a match (step 970). In one embodiment, the query string and the queryvariables are in the portion of the URL following the question mark.

[0194] If in step 966 a match is not found, then it is determinedwhether a match may still be possible using POST data. In oneembodiment, resources are mapped to policies by matching POST datasubmitted with resource requests. Thus, different policies can beassociated with a given resource, depending on the contents of the POSTdata. For example, a user may request a resource during the course ofsubmitting an online form containing POST data. Applicable policies canbe mapped on the basis of POST data added to the policy in step 734 ofFIG. 21. In step 967, Access Server 34 determines whether the policyoperation type is an HTTP POST request. If not, then there is no match(step 952). However, if the operation type is an HTTP POST request, thenAccess Server 34 proceeds to step 968 where Access Server 34 requestsand receives the POST data from Web Gate 28. In one embodiment, Web Gate28 transmits a flag with all POST requests forwarded to Access Server34. When POST data is transmitted with an HTTP POST request, the flag isset. If no POST data is transmitted, then the flag is not set. Inanother embodiment, retainer 505 is transmitted by Access Server 34 toWeb Gate 28 when requesting POST data. Retainer 505 is returned by WebGate 28 to Access Server 34 with the POST data, thus indicating whichpolicy to continue evaluating in step 969. In step 969, Access Server 34evaluates whether the POST data received in step 968 matches the POSTdata required by the policy to achieve a match (see FIG. 21). If thePOST data matches, then the method proceeds to step 970. Otherwise, themethod proceeds to step 952.

[0195]FIG. 26A provides a flow chart detailing the steps performed whenmatching a resource with a specific policy using POST data in step 969of FIG. 26. In one embodiment, the steps of FIG. 26A are performed byauthentication module 540. In step 980, Access Server 34 selects thefirst data required for matching the policy under consideration. Then,in step 981, Access Server 34 selects the first item of POST datareceived in step 968 of FIG. 26. Access Server 34 compares the POST datawith the required data (step 982). If a match is found (step 983),Access Server proceeds to step 987. Otherwise, Access Server 34 proceedsto step 984 where it determines whether all of the POST data receivedhas already been compared in step 982. If additional POST data remainsto be compared, Access Server 34 selects the next item of POST datareceived (step 986) and loops back to step 982. If all received POSTdata has already been compared (step 982) and no match was found (step984), then Access Server 34 returns no match (step 985). In step 987,Access Server 34 determines whether additional POST data is required tobe matched in order to match the specific policy under considerationwith the requested resource. If additional data is required, AccessServer 34 selects the next required data (step 988) and loops back tostep 981. If no additional data is required, Access Server 34 returns amatch (step 989).

[0196]FIG. 27 provides a block diagram of a retainer data structure(retainer) 505 that is passed by Web Gate 28 to Access Server 34 toidentify the policy domain and policy previously mapped in step 836 ofFIG. 23 and step 932 of FIG. 25, respectively. Retainer 505 is cached inresource cache 502 in step 850 of FIG. 23. Retainer 505 contains thepolicy domain ID 992 of the mapped policy domain to be used inauthorization and logging steps, the policy ID 994 for an applicablepolicy residing in the mapped policy domain, and ID 996 for theapplicable authentication scheme. Thus, by passing retainer 505 ratherthan the complete URL of the requested resource, Web Gate 28 savesAccess Server 34 from having to repeatedly remap the requested resourceto a policy domain and policy during authorization and logging.

[0197]FIG. 28 provides a flowchart of a method for authenticating a userfor various combinations of domains and Web Servers through a singleauthentication performed by the user. As will be apparent to thoseskilled in the art, an Internet domain can reside on a single WebServer, or be distributed across multiple Web Servers. In addition,multiple Internet domains can reside on a single Web Server, or can bedistributed across multiple Web Servers. In accordance with the presentinvention, the method of FIG. 28 allows a user to satisfy theauthentication requirements of a plurality of domains and/or Web Serversby performing a single authentication.

[0198] In the simplest case, all of an e-business host company's WebServers will be in the same domain (i.e. oblix.com). When a usersuccessfully authenticates at one of the Web Servers, the Web Gaterunning on the authenticating Web Server causes the Web Server to returnan encrypted cookie, indicating a successful authentication. Subsequentrequests by the browser to the domain will pass this cookie (assumingthe cookie applies to the requested URL), proving the user's identity;therefore, further authentications are unnecessary.

[0199] In a more complex case, an e-business host company's web presenceincorporates associated web sites whose Web Servers have names inmultiple domains. In such a multiple domain case, each of the associatedportal Web Servers use a Web Gate plug-in configured to redirect userauthentication exchanges to the e-business host's designated web log-inWeb Server. The user is then authenticated at the e-business host's weblog-in server, and an encrypted cookie is issued for the e-businesshost's domain to the user's browser. The user's browser is then isredirected back to the original associated portal's site where the WebGate creates a new cookie for the associated portal's domain and returnsit to the user's browser.

[0200] As a result, the user is transparently authenticated in both theoriginal associated portal's domain and the e-business host's domain.The process is transparently performed for each different associatedportal that a user may visit during a session. The present invention'sassociated portal support easily supports single Web Servers havingmultiple DNS names in multiple domains, and/or multiple networkaddresses. In accordance with the present invention, this multipledomain authentication enables “staging” of web sites. For example, a newedition of a web site can be deployed on a separate set of servers, andthen mapped to policy domains protected by the present invention bysimply updating the policy domain's host ID's.

[0201] In one embodiment, the steps of FIG. 28 are performed byauthentication event handler 512 and redirection event handler 504. Instep 1020, authentication event handler 512 determines whether single ormultiple domains are protected in a given deployment of the presentinvention. If only a single domain is protected, then the methodproceeds to step 1022 where an authentication is attempted at the singledomain. If the single domain is distributed across multiple Web Servers,then the domain attribute of the cookie set by the authenticating WebServer in step 1022 is set to broadly include all Web Servers in thedomain.

[0202] If multiple domains are protected, the method proceeds to step1024 where authentication event handler 512 determines whether themultiple protected domains all reside on a single Web Server. Forexample, a single machine intranet.oblix.com maybe addressed in multipleways such as: sifl.oblix.com, intranet, asterix.oblix.com, or 192.168.1.In accordance with the present invention, when multiple domains resideon a single Web Server, an administrator will designate exactly one ofthe domains a “preferred host domain.” If step 1024 indicates that allprotected domains reside on the same Web Server, then authenticationevent handler 512 determines whether the domain of the requestedresource is a preferred host (step 1026). If it is a preferred host,then authentication event handler 512 attempts to authenticate the userat the preferred host domain in step 1030 (further described below withrespect to FIG. 30). Otherwise, redirection event handler 504 redirectsbrowser 12 to the preferred host domain (step 1028) for authentication(step 1030). Referring to step 1024, if the multiple protected domainsreside on multiple Web Servers, then authentication event handler 512proceeds to step 1032.

[0203] In one embodiment, a single policy domain and/or policies arecreated for the preferred host domain while no policy domains orpolicies are created for the other domains residing on the same webserver. All resource requests made to any of the multiple protecteddomains residing on the same web server are redirected to the preferredhost domain, thus requiring the user to authenticate according to thepreferred host domain's policy domain and/or policies. As a result,after authentication at the preferred host domain, the user istransparently authenticated for all other domains residing on the sameweb server. When subsequent resource requests for resources in domainsresiding on the same web server are redirected to the preferred hostdomain, the prior successful authentication for the host domain can beconfirmed by the existence of a valid authentication cookie for thepreferred host domain. If such a cookie exists, then the user need notre-authenticate for the requested resource. In one embodiment, ifsubsequent resource requests made to the preferred host domain (or anyof the other domains on the same web server) require a higher level ofauthentication, or if a previously valid authentication has expired, theuser will be required to re-authenticate at the preferred host domain inaccordance with the method of FIG. 28.

[0204]FIG. 29 provides a block diagram of a plurality of Web Servers,each hosting a different domain accessible by browser 1082. Inaccordance with the present invention, when multiple domains areprotected and distributed across multiple Web Servers, the administratorwill identify exactly one of the domains a “master domain.” Asidentified in FIG. 29, Web Server 1070 hosts master domain A.com, whileWeb Servers 1072 and 1074 host domains B.com and C.com, respectfully. Anend user's resource request is illustrated in FIG. 29 by path 1084 frombrowser 1082 to Web Server 1072.

[0205] Referring back to FIG. 28, if authentication event handler 512determines that the domain of the requested resource is a master domain(step 1032), then authentication event handler 512 attempts toauthenticate at the master domain (step 1034). Otherwise, redirectionevent handler 504 redirects browser 12 to the master domain (step 1036).The user then authenticates at the master domain (step 1038). Theredirection and authentication of steps 1036 and 1038 are illustrated inFIG. 29 by path 1086. Upon a successful authentication at the masterdomain, the master domain Web Server passes an authentication cookie tothe user's browser (step 1040) and re-directs the user's browser back tothe first domain accessed by the user (step 1042). Also in step 1042,the master domain passes information contained in the master domainauthentication cookie to the first domain in the query data portion ofthe redirection URL. Steps 1040 and 1042 are illustrated by paths 1088and 1090, respectively in FIG. 29. In step 1044, the Web Gate of thefirst domain Web Server extracts the master domain authentication cookieinformation from the redirection URL, thus confirming the user'sauthentication at the master domain and resulting in a successfulauthentication (step 1046). The first domain Web Server (B.com) thensends its own authentication cookie to web browser 1082 (as depicted bypath 1092) in accordance with step 780 of FIG. 22, previously describedabove. Any subsequent authentication by browser 1082 at domain C.com onWeb Server 1074 follows the method of FIG. 28.

[0206]FIG. 30 provides a flow chart of the method for authenticating, asperformed in steps 1022, 1030, 1034, and 1038 of FIG. 28. In oneembodiment, the steps of FIG. 30 are performed by authentication eventhandler 512. In step 1120, authentication event handler 512 accessesresource cache 502 to determine what authentication challenge method isto be used for the given resource. Authentication event handler 512 thenaccesses authentication scheme cache 506 in step 1122 to determinewhether the authentication scheme associated with the requested resourcehas been previously cached. If the authentication scheme is found,authentication event handler 512 determines the specific type ofchallenge method in step 1126. If the challenge scheme was not found instep 1122, authentication event handler 512 loads the authenticationrule associated with the requested resource from Directory Server 36 instep 1124 (further described below in FIG. 31), and then proceeds tostep 1126.

[0207] In step 1126, authentication event handler 516 discerns whetherthe authentication challenge scheme retrieved in step 1122 or 1124 callsfor basic, form, certificate, or no authentication. If the challengescheme indicates basic authentication, then the method proceeds to step1128 and performs basic authentication. If the challenge schemeindicates form authentication, then the method proceeds to step 1130 andperforms form authentication. If the challenge scheme indicatescertificate authentication, then the method proceeds to step 1132 andperforms certificate authentication. If the challenge scheme indicatesthat no authentication is required (step 1134), then the user is notchallenged, authentication is not performed (in one embodiment, thesystem skips to step 756 of FIG. 22 and in another embodiment the systemskips to step 774 of FIG. 22).

[0208]FIG. 31 provides a flow chart describing the method of loading anauthentication challenge scheme from Directory Server 36 (step 1124 ofFIG. 30). In one embodiment, the steps of FIG. 31 are performed byauthentication event handler 512 and Access Server 34. In step 1160,authentication event handler 512 requests the authentication challengescheme to be read from Access Server 34. If the authentication challengescheme is found in authentication scheme cache 568 (step 1162), thenAccess Server 34 proceeds to step 1168. Otherwise, Access Server 34retrieves the requested authentication challenge scheme from DirectoryServer 36 (step 1164). Upon retrieval, Access Server 34 caches theauthentication challenge scheme in authentication scheme cache 568 (step1166), and proceeds to step 1168. In step 1168, Access Server 34 passesthe retrieved authentication challenge scheme to Web Gate 28. Web Gate28 then caches the authentication challenge scheme in authenticationscheme cache 506 (step 1170).

[0209]FIG. 32 provides an exemplar method for performing basicauthentication (step 1128 of FIG. 30). In one embodiment, the steps ofFIG. 32 are performed by authentication event handler 512 andauthentication module 540. In step 1202, authentication event handler512 instructs browser 12 to prompt the user for a user ID and password.In response, the user enters and the user's browser submits therequested user ID and password (step 1204). In step 1206, Web Gate 28intercepts the user submission and authentication event handler 512passes the user ID and password to Access Server 34, along with retainer505, thus identifying a policy domain and policy applicable to therequested resource. Access Server authentication module 540 thenauthenticates the user using the user ID and password in step 1208. Instep 1210, authentication module 540 returns the authentication result,authentication success or failure actions, and any user attributesrequired by the actions to Web Gate 28.

[0210]FIG. 33 provides a flow chart describing an exemplar method usedby the Access Server to authenticate using a user ID and password (step1208 of FIG. 32). In one embodiment, the steps of FIG. 33 are performedby authentication module 540. In optional step 1230, authenticationmodule 540 searches user profile cache 576 for a user identity profileentry having a user ID attribute matching the user ID received from WebGate 28. User profile cache 576 is a hash table of user identity profileattributes that can be used for authentication, authorization, orauditing. In one embodiment, the user ID attribute would appear in userprofile cache 576 if it was previously used in a successfulauthentication. If a match is found (optional step 1232), thenauthentication module 540 proceeds to step 1234. If no match is found,then authentication module 540 proceeds to step 1236.

[0211] In another embodiment, steps 1230 and 1232 of FIG. 33 are notperformed. In such an embodiment, the method of FIG. 33 begins with step1236 where it searches user identity profiles 102 in Directory Server 36(not user profile cache 576) for a user identity profile having a userID attribute matching the user ID received from Web Gate 28. If nomatching user identity profile attribute is found in Directory Server 36(step 1238), then the method proceeds to step 1241. If a matching useridentity profile attribute is found in Directory Server 36 (step 1238),then authentication module 540 binds to the directory using thedistinguished name from the matching user identity profile entry and thepassword received from Web Gate 28 (step 1234). If the bind isunsuccessful (step 1240), then authentication module 540 proceeds tostep 1241 where it determines whether an entry for the current user isfound in user profile cache 576. If so, authentication module 540proceeds to step 1243. Otherwise, authentication module 540 retrievesall profile attributes of the current user appearing in user attributelist 114 and caches them in user profile cache 576 (step 1242). In step1243, authentication module 540 returns an unsuccessful authenticationresult.

[0212] If the bind is successful (step 1240), then authentication module540 accesses revoked user list 582 to determine whether the user IDreceived from Web Gate appears on revoked user list 582. If the user IDis on the revoked user list (step 1244), authentication module 540proceeds to step 1241. If the user ID is not on the revoked user list,then authentication module 540 determines whether an entry for the useris found in user profile cache 576 (step 1250). If not, authenticationmodule 540 retrieves all profile attributes of the current userappearing in list 114 and caches them in user profile cache 576 (step1254). If an entry was found, the method skips to step 1260. In step1260, the method returns a successful authentication result.

[0213]FIG. 34 provides a flow chart describing a method for performingform authentication (step 1130 of FIG. 30). In one embodiment, the stepsof FIG. 34 are performed by authentication event handler 512,redirection event handler 504, browser 12, and authentication module540. In step 1308, authentication event handler 512 sets a “form login”cookie on browser 12. The cookie includes the URL of the requestedresource. Authentication event handler 512 then redirects browser 12 toan authentication form URL (step 1310). In step 1312, Web Gate 28 allowsthe authentication form referenced by the authentication form URL topass to browser 12. The user then fills out the authentication form(step 1314) and transmits (e.g. post data) the information from theauthentication form (step 1316), passing the form login cookiepreviously set in step 1308. Authentication event handler 512 thenextracts the URL of the requested resource from the form login cookie(step 1318), and passes the user ID and password filled out by the userin the authentication form (submitted as POST data) to Access Server 34(step 1320).

[0214] In step 1322, authentication module 540 authenticates the userfor the requested resource using the user's id and password receivedfrom Web Gate 28, performing the steps of FIG. 33 previously describedabove. In step 1324, authentication module 540 returns theauthentication result, authentication actions, and user attributes toWeb Gate 28. Authentication event handler 512 then sets the form logincookie (previously set in step 1308) to indicate that the authenticationprocess is completed (step 1326).

[0215]FIG. 35 is a flow chart describing a method for performingcertificate authentication (step 1132 of FIG. 30). In one embodiment ofthe present invention, client certificate authentication is performedusing Web Servers employing the Netscape Enterprise Server plug-ininterface (NSAPI). In another embodiment, client certificateauthentication is performed for Web Servers employing the MicrosoftInternet Information Server plug-in interface (ISAPI). In yet anotherembodiment, client certificate authentication is performed on aplurality of Web Servers, with a first subset of the Web Serversemploying NSAPI and a second subset employing ISAPI. Other Web Serverscan also be used.

[0216] In one embodiment, the steps of FIG. 35 are performed byauthentication event handler 512, redirection event handler 504, browser12, and authentication module 540. In step 1348, authentication eventhandler 512 requests Web Server 18 to perform SSL client certificateauthentication on browser 12. In one embodiment of the present inventionperforming client certificate authentication on ISAPI Web Servers,authentication event handler 512 redirects browser 12 to a special caseURL (i.e. cert_authn.dll) that is configured to accept certificates. Insuch an embodiment, this redirection occurs within step 1348.

[0217] In step 1350, Web Server 18, on behalf of Web Gate 28, sends anSSL client certificate request along with trusted certificateauthorities (CA's) and challenge data to browser 12. Browser 12 thendisplays a selection box with client certificates from trusted CA's,allowing a user of browser 12 to select a certificate (step 1352).Browser 12 then returns the selected certificate with challenge datasigned by a private key to Web Server 18 (step 1356). Web Server 18 thenverifies that the challenge data was properly signed by the selectedcertificate (step 1360) and passes a valid certificate to Web Gate 28(step 1362), which passes the certificate to Access Server 34 (step1363). In step 1364, authentication module 540 of Access Server 34 thendecodes the certificate and maps the certificate subject to a validdistinguished name (further described in FIG. 36). In step 1366,authentication module 540 returns the authentication result,authentication actions, and user attributes to Web Gate 28.

[0218]FIG. 36 provides a flow chart describing a method forauthenticating using a valid certificate (step 1364 of FIG. 35). In oneembodiment, the steps of FIG. 36 are performed by authentication module540. In optional step 1390, authentication module 540 decodes one ormore fields of the certificate passed by Web Gate 28 in step 1362 ofFIG. 35. In one embodiment, the user's e-mail address is decoded. Instep 1392, authentication module 540 searches user profile cache 576 fora user identity profile entry having one or more attributes matching thedecoded field(s). In one embodiment, the user attribute would appear inuser profile cache 576 if it was previously used in a successfulauthentication. If a match is found (optional step 1394), thenauthentication module 540 proceeds to step 1406. If no match is found,then authentication module 540 proceeds to step 1396.

[0219] In another embodiment, steps 1390 and 1392 of FIG. 36 are notperformed. In such an embodiment, the method of FIG. 36 begins with step1396 where it searches user identity profiles 102 in Directory Server 36for a user identity profile having one or more attributes matching thedecoded field(s). If no matching user identity profile attribute isfound in Directory Server 36 (step 1398), then the method proceeds tostep 1402 where it determines whether an entry for the current user isfound in user profile cache 576. If so, authentication module 540proceeds to step 1405. Otherwise, authentication module 540 retrievesall profile attributes of the current user appearing in user attributelist 114 and caches them in user profile cache 576 (step 1404). In step1405, authentication module 540 returns an unsuccessful authenticationresult. If a matching user identity profile is found in step 1398, themethod proceeds to step 1406.

[0220] In step 1406, authentication module 540 accesses revoked userlist 582 to determine whether the user identity profile having thematching user attribute appears on revoked user list 582. If so,authentication module 540 proceeds to step 1402. Otherwise,authentication module 540 continues on to step 1410 and determineswhether an entry for the current user is found in user profile cache576. If not, authentication module 540 retrieves all profile attributesof the current user appearing in list 114 and caches them in userprofile cache 576 (step 1416). If an entry was found, the method skipsto step 1422. In step 1422, the method returns a successfulauthentication result.

[0221]FIG. 37 provides a block diagram of an authentication cookie 1450passed by Web Gate 28 to browser 12 in step 780 of FIG. 22. Cookie 1450is encrypted with a symmetric cipher so that cookies from all instancesof Web Gate 28 in a given deployment of the present invention may beencrypted using the same key. This key (shared secret 110) is stored onDirectory Server 36 and distributed to each of the Web Gates 28 byAccess Server 34. Shared secret 110 can change as often as desired by anadministrator. In one embodiment of the present invention, cookie 1450is encrypted using RC4 encryption with a 2048 bit key. As previouslydescribed, in one embodiment, previously valid keys are grandfatheredsuch that both the current key and the immediately prior key will bothwork to de-crypt encrypted cookie 1450. The present invention features aone-button key re-generation function. This function is easilyscriptable.

[0222] In one embodiment, the information stored by cookie 1450 includesthe authentication level 1452 of the authentication scheme used tocreate the cookie, the user ID 1454 of the authenticated user, the IPaddress 1456 of the authenticated user, and session start time 1458identifying the time at which cookie 1450 was created. If the timeelapsed since the session start time 1458 exceeds a maximum sessiontime, the cookie will become invalid. Idle start time 1460 is alsostored, which identifies the time when the previous HTTP request for aprotected resource was made in which cookie 1450 was passed. If the timeelapsed since the idle start time 1460 exceeds a maximum idle time, thecookie will become invalid. Both of these time limits force users tore-authenticate if they have left a session unattended for longer thanthe maximum session or idle times. Cookie 1450 also stores a securedhash 1462 of information 1452, 1454, 1456, 1458, and 1460. In oneembodiment of the present invention, secured hash 1462 is created usingan MD5 hashing algorithm. Most Internet browsers cache a user's suppliedauthentication information during basic and certificate authenticationchallenge methods, and then transparently re-send the information uponreceiving an authentication challenge from a Web Server. In oneembodiment, an administrator can enable a form authentication challengemethod requiring end users to re-authenticate upon expiration of themaximum session or maximum idle time limits.

[0223]FIG. 38 provides a flow chart describing a method for attemptingto authorize a user (step 756 of FIG. 22). In one embodiment, the methodof FIG. 38 is performed by authorization event handler 516 andauthorization module 542. In step 1490, authorization event handler 516of Web Gate 28 passes authorization information to Access Server 34. Instep 1494, authorization module 542 determines whether one or moreauthorization rules associated with the requested resource are found inauthorization rule cache 572. If one or more rules are found,authorization module 542 proceeds to step 1496. Otherwise, authorizationmodule 542 retrieves any authorization rules associated with therequested resource from Directory Server 36 in step 1498. In oneembodiment, authorization success and failure actions are retrieved withthe authorization rules. After retrieving the authorization rules,authorization module 542 proceeds to step 1496 and reads the firstauthorization rule associated with the requested resource fromauthorization rule cache 572. In one embodiment, multiple authorizationrules are evaluated in an order determined by the priority set in step646 of FIG. 17. In another embodiment, second level authorization rulesare evaluated prior to first level authorization rules. Authorizationmodule 542 applies the authorization rule (step 1500) to theauthorization information previously passed in step 1490.

[0224] If the authorization rule is satisfied in step 1502,authorization module 542 determines whether an entry for the user isfound in user profile cache 576 (step 1504). If so, authorization module542 proceeds to step 1508. If not, authorization module 542 retrievesall profile attributes of the current user appearing in user attributelist 114 (step 1507), and communicates the authorization success actionsand attributes to Web Gate 28 (step 1508).

[0225] If the authorization rule is not satisfied (step 1502), thenauthorization module 542 determines whether more authorization rulesremain to be evaluated (step 1509). If more rules remain, the next ruleis read (step 1496) and evaluated (step 1500). If no more rules remain,authorization module 542 determines whether an entry for the user isfound in user profile cache 576 (step 1510). If so, authorization module542 proceeds to step 1512. If not, authorization module 542 retrievesall profile attributes of the current user appearing in user attributelist 114 (step 1511), and communicates the authorization success actionsand attributes to Web Gate 28 (step 1512).

[0226]FIG. 39 details the steps performed when passing authorizationinformation to Access Server 34 in step 1490 of FIG. 38. In oneembodiment, the steps of FIG. 39 are performed by authorization eventhandler 516. In one embodiment, authorization can be performed usingPOST data. In another embodiment, POST data is not used forauthorization. If POST data is enabled to be used for authorization,then the method of FIG. 39 begins with optional step 1530. Otherwise,the method begins at step 1534. If the resource request issued bybrowser 12 in step 750 of FIG. 22 employs a POST request method and POSTdata is enabled to be used for authorization (step 1530), authorizationevent handler 516 passes the POST data and retainer 505 to Access Server34 (step 1536). If the resource request does not employ a POST requestmethod or POST data is not enabled to be used for authorization (step1530), then authorization event handler 516 passes retainer 505, therequest method, the user's distinguished name, the user's IP address,and the time of the request to Access Server 34 in step 1534.

[0227]FIG. 40 illustrates the format of an HTTP request. As illustratedin FIG. 40, an HTTP request 1550 comprises request line 1552, zero ormore headers 1554, blank line 1556, and body 1558 (used only for POSTrequests). The HTTP protocol supports various types of requests. The GETrequest returns whatever information is identified by the request-URIportion of request line 1552. The HEAD request is similar to the GETrequest, but only a server's header information is returned. The actualcontents of the specified document is not returned. This request isoften used to test hypertext links for validity, accessibility, andrecent modifications. The POST request is used for POSTing electronicmail, news, or sending forms that are filled in by an interactive user.A POST is the only type of request that sends a body. A validcontent-linked header field is required in POST requests to specify thelength of body 1558. Post data can include zero or more data elementsseparated by “&” as depicted by line 1562. Each data element is of theform variable name=value.

[0228] HTTP request 1550 can contain a variable number of header fields1560. A blank line 1556 separates header fields 1554 from body 1558. Aheader field comprises a field name, a string and the field value, asdepicted in box 1560. In one embodiment, the field value is an LDAPattribute. Field names are case insensitive. Headers can be divided inthree categories: those that apply to requests, those that apply toresponses, and those that describe body 1558. Certain headers apply toboth requests and responses. Headers that describe the body can appearin a POST request or in any response.

[0229]FIG. 41 provides a flow chart describing a method for loading anauthorization rule from the Directory Server (step 1498 of FIG. 38). Inone embodiment, the steps of FIG. 41 are performed by authorizationmodule 542. In step 1580, Access Server 34 loads the defaultauthorization rule for the policy domain mapped in step 836 of FIG. 23from Directory Server 36 into authorization rule cache 572. AccessServer 34 then selects a first rule in array 565 (step 1582) anddetermines whether the selected rule is a second level (specific) ruleof a policy associated with the requested resource (step 1584), bycalling the method of FIG. 26 previously described above. If yes, thenAccess Server 34 proceeds to step 1592. Otherwise, Access Server 34determines whether all rules in array 565 have been evaluated (step1586). If not, then Access Server 34 selects the next rule in array 565(step 1588), and returns to step 1584. Once all rules in array 565 havebeen considered (step 1586), Access Server 34 proceeds to step 1594 andloops back to step 1586. If a second level authorization rule (a ruledefined in a policy) was found for the requested resource in step 1584,then authorization module 540 caches the second level authorization rulein authorization rule cache 570 (step 1592) and the method is done (step1594). If a second level policy authorization rule was not found, thenthe default authorization rule previously loaded in step 1580 remains inauthorization rule cache 572, and the method is done (step 1594).

[0230]FIG. 42 provides a flow chart describing the method of applying anauthorization rule (step 1500 of FIG. 38). In one embodiment, the stepsof FIG. 42 are performed by authorization module 542. In one embodiment,authorization can be performed using POST data. In another embodiment,POST data is not used for authorization. If POST data is to be used forauthorization, then the method of FIG. 42 begins with optional step1620. Otherwise, the method begins at step 1624. In optional step 1620,if the resource request employs a POST request method, thenauthorization module 542 proceeds to optional step 1622 where it appliesthe authorization rule to the POST data passed in step 1536 of FIG. 39.If the resource request does not employ a POST request method (or ifPOST data is not enabled to be used for authorization), thenauthorization module 542 proceeds to step 1624. If specific users aredefined (by distinguished name) in the authorization rule, authorizationmodule 542 evaluates whether the distinguished name of the authenticateduser matches the user's distinguished name called for by theauthorization rule (step 1626). If specific groups are defined in theauthorization rule (step 1628), authorization module 542 evaluateswhether the group name of the authenticated user matches the group namecalled for by the authorization rule (step 1630). In one embodiment, theuser's group membership is cached in user policy cache 578. If specificroles are defined in the authorization rule (step 1632), authorizationmodule 542 evaluates whether the role of the authenticated user matchesthe role called for by the authorization rule (step 1634). If specificLDAP rules are defined in the authorization rule (step 1640),authorization module 542 evaluates whether the LDAP rule matches theLDAP rule called for by the authorization rule (step 1642). In oneembodiment, the result of the LDAP rule evaluation in step 1642 iscached in user policy cache 578. If specific user IP addresses aredefined in the authorization rule (step 1644), authorization module 542evaluates whether the IP address of the authenticated user matches theIP address called for by the authorization rule (step 1646). If asuccessful match is found at any point (steps 1627, 1631, 1635, 1643,and 1647), the authorization is successful (step 1650). In oneembodiment, successful matches of groups and LDAP rules are stored inuser policy cache 578 in steps 1631 and 1643. In another embodiment,multiple matches must be found before an authorization success is found.If no matches are found, authorization is unsuccessful (step 1652).

[0231]FIG. 43 provides a flow chart detailing the steps performed whenapplying an authorization rule to POST data in optional step 1622 ofFIG. 42. In one embodiment, the steps of FIG. 43 are performed byauthorization module 542. In step 1670, Access Server 34 selects thefirst item of POST data received in optional step 1536 of FIG. 39. Ifthe selected POST data is of a type that is called for by theauthorization rule being evaluated (step 1672), then Access Server 34evaluates whether the selected POST data matches data required by theauthorization rule (step 1674) and determines whether a successful matchhas been found (step 1675). For example, if an authorization rule callsfor a user's distinguished name, then a distinguished name contained inthe POST data will be compared with the distinguished name expected bythe authorization rule. If the selected POST data equals the expecteddistinguished name, then a successful match will be found for theexample above. If a match is found (step 1675), Access Server proceedsto step 1682 where it returns a successful authorization. Otherwise,Access Server proceeds to step 1676. If, in step 1672, it is determinedthat the type of POST data was not called for, then Access Server 34proceeds directly to step 1676.

[0232] In step 1676, Access Server 34 determines whether all of the POSTdata received in step 1536 has been considered by step 1672. Ifadditional Post data remains to be considered (step 1676), Access Server34 selects the next available item of POST data (step 1678) and loopsback to step 1672. If no POST data remains to be considered and a matchstill has not been found (step 1676), access Server 34 proceeds to step1684 and returns an authorization failure.

[0233]FIG. 44 is a flow chart describing the process of performingauthentication success actions (step 776 of FIG. 22). In step 1700, WebGate 28 determines whether there is a redirect URL. As described above,when setting up a policy domain or a policy, an administrator can set upa redirect URL for authentication success/failure events as well asauthorization success/failure events. An administrator can also set upvarious variables to add to an HTTP request based on these events. If,in step 1700, it is determined that a redirect URL exists for anauthentication success event, then in step 1702 it is determined whetherthere are any HTTP variables to add to the HTTP request. If it wasdetermined in step 1700 that there was not a redirect URL, then in step1704, it is determined whether there are any HTTP variables to add tothe request. If, in step 1704, it is determined that there are HTTPvariables to add to the request in response to the authenticationsuccess event, then in step 1706, the header variables are added. If, instep 1704, it is determined that there are no HTTP variables to add tothe request, then no action is performed (step 1708). If, in step 1702,it is determined that there are no HTTP variables to add to the request,then in step 1710 the redirect URL is added to the HTTP request andbrowser 12 is redirected using the HTTP request in step 1712. If in step1702 it is determined that there are HTTP variables to add to therequest, then in step 1714 the redirect URL is added to the HTTP requestand, in step 1716, the header variables are added to the HTTP request.In step 1718, the browser is redirected using the newly constructed HTTPrequest.

[0234] When a Web Server receives an HTTP request, the Web Server storesthe contents of the HTTP request in a data structure on the Web Server.A Web Gate can edit that data structure using an API for the Web Server.In one embodiment, the downstream application that will be using theheader variables is on, accessed using or associated with the same WebServer storing the HTTP request. In that case, the header variable areadded (e.g. in step 1706) by storing the header variables in the datastructure on the Web Server. Subsequently, the Web Server will providethe header variables to the downstream application.

[0235]FIG. 45 is a flow chart describing the steps of performingauthentication and authorization failure actions (see steps 766 and 798of FIG. 22, respectively). In step 1738, Web Gate determines whetherthere is a redirect URL for the authorization failure or authenticationfailure, whichever event is being considered. If there is no redirectURL, then in step 1740, it is determined whether there are any HTTPvariables for the authorization failure or authentication failure. Ifthere are no HTTP variables, then in step 1742, a default failure URL isadded to a new HTTP request. The default failure URL is a URL thatpoints to a web page that notifies a user that access is denied to theresource. In other embodiments, other pages can be used as defaultfailure pages. In step 1744, the user's browser 12 is redirected usingthe HTTP request that includes the default failure URL. If, in step1740, it is determined that there are HTTP variables to add to the HTTPrequest for the particular authentication failure or authorizationfailure event, then in step 1746, those variables are added as headervariables to the HTTP request. In step 1748, the default failure URL isadded to the HTTP request. The user's browser is redirected using theHTTP request in step 1750.

[0236] If, in step 1738, it is determined that there is a redirect URLfor the particular authentication failure or authorization failureevent, then it is determined whether there are any HTTP variables forthis particular action in step 1752. If not, the redirect URL is addedto the HTTP request in step 1754 and the browser is redirected using theHTTP request in step 1756. If, in step 1752 it is determined that thereare HTTP variables to add to the request, then in step 1758, theredirect URL is added to the HTTP request. In step 1760, the headervariables are added to the HTTP request. The user's browser is thenredirected using the HTTP request in step 1762.

[0237]FIG. 46 is a flow chart describing the process of performingauthorization success actions (step 794 of FIG. 22). In step 1782, it isdetermined whether there is a redirect URL for the authorization successaction. If there is no redirect URL, then in step 1784 it is determinedwhether there are any HTTP header variables to add. If so, the headervariables are added in step 1786. For example, the header variables canbe added to the data structure for the request that is stored on the WebServer. Subsequently, the Web Server will provide the header variablesto the downstream application(s). If, in step 1784 it is determined thatthere are no HTTP variables to add to the request, then no action istaken.

[0238] If it is determined in step 1782 that there is a redirect URL,then in step 1796, it is determined whether there are any HTTP variablesto add to the request. If there are not any HTTP variables to add to therequest, then the redirect URL is added to the HTTP request in step1798. In step 1800, the user's browser is redirected using the HTTPrequest with the redirect URL. If it is determined that there are HTTPvariables to add to the request in step 1796, then the redirect URL isadded to the HTTP request in step 1802. In step 1804, the HTTP variablesare added as header variables to the HTTP request. In step 1806, theuser's browser is redirected using the HTTP request.

[0239]FIG. 47 is a flow chart describing the process of how a downstreamapplication or other resource uses header variables provided by thesystem of FIG. 1. Upon authorization success, authorization failure,authentication success or authentication failure, various data can beadded as header variables. In step 1830, the resource receives therequest. In one embodiment, the resource receives request informationfrom a Web Server. In another embodiment, the resource receives aredirected HTTP request. In step 1832, the resource determines whetherthere are any header variables to consider. If there are no headervariables, then in step 1834, the resource responds to the request.Responding to the request can include providing a web page, access to asoftware process or anything else appropriate for the particularresource. If, in step 1832, it is determined that there are headervariables, then in step 1836 the resource searches for a particularvariable name. In order to use header variables, the resource must bepreprogrammed to know what header variables to expect and how to usethem. Thus, the resource will have a list of variable names it seeks. Instep 1836, the resource looks for one of the listed variable names inthe set of header variables. Once found, the resource reads the stringfor the found variable in step 1838. In step 1840, the resource readsthe variable value (e.g. LDAP attribute). When HTTP variables are set upin actions, a variable name, a string for the variable and data for thevariable are provided. In step 1842, it is determined whether anyvariables to operate on. If so, the method of FIG. 47 loops back to step1836. If there are no more variables to operate, then in step 1844 theresource acts on the variables by taking the information from thevariables and using them in the manner appropriate for the particularresource. In step 1846, the resource responds to the request asappropriate for that particular resource.

[0240] One example for using the process of FIG. 47 is to provide anautomated login for a downstream application. For example, uponauthentication or authorization successes, login information for aparticular user and a particular application can be added to the HTTPrequest as header variables. The downstream application can beprogrammed to search the header variables for the login and passwordinformation and automatically attempt to authorize the user. In anotherexample, user identity profile information is passed to a downstreamapplication without the user accessing the application directly. Thisuser identity profile information would be stored in header variablesand provided to the resource being accessed. Thus, the resource beingaccessed can be fully customized for the user accessing the resource.For example, the resource can address the user by name and title andaccess preferences for that user. There are an unlimited number ofresources that can be accessed by a user and, thus, unlimited ways touse the information contained in header variables.

[0241] As discussed above, the Access System monitors and logs variousevents, including authorization and authentication failure/successevents. In other embodiments, other events can be monitored and logged.When an event being monitored occurs, an entry is added to anappropriate audit log. For purposes of the present invention, the termslog and log entry are used broadly because no special format isnecessary for the present invention. A log can include any reasonableand organized system for storing information.

[0242]FIG. 48 provides a flow chart detailing the steps performed forlogging authentication and/or authorization events (see steps 764, 774,792, and 796 of FIG. 22). In one embodiment, the steps of FIG. 48 areperformed by Web Gate 28 and auditing module 544. The log process isconfigurable because the audit rule associated with a requested resourcecan specify any combination of information to be logged in audit logs546 in response to a detected type of event selected to be audited. Forexample, in one embodiment of the present invention, an audit ruleassociated with a requested resource can specify that all or a subset ofthe attributes of the identity profile for the user making the accessrequest should be logged in one of audit logs 546 for the specificevent. In another embodiment, the time of the authentication and anidentification authorization event is logged in one or more of auditlogs 546. An identification of the resource, the rule evaluated, thetype of event, the IP (or other) address of the requesting machine, userID, an identification of the operation being performed (e.g. GET, etc.)an identification of the Web Gate and/or access server that processedthe request, user password and any other suitable information can alsobe logged.

[0243] Storing identity profile information, as well as the otherinformation listed above, allows the system to provide data for loadbalancing, various business reports, and reports about how the system isbeing used. For example, knowledge of which resources are beingaccessed, when resources are being used and who is accessing theresources can allow an administrator to perform load balancing on thesystem. Reports identifying which content is being accessed the most canhelp a business allocate resources. Information about how variousentities use the system can provide behavioral data to the host. Variousother business reports and monitoring can also be useful.

[0244] The process of FIG. 48 is commenced by the detection of an accesssystem event. In the embodiment of FIG. 22, both the attempt toauthenticate (steps 760 & 762) and the attempt to authorize (steps 756 &790) can be thought of as the detection of an access system event. Thus,the access system events of the embodiment of FIG. 22 includesauthorization success, authorization failure, authentication success andauthentication failure. Other access system events can also be monitoredfor use with the present invention. In other embodiment, detecting anaccess system event can utilize different means than explicitlydescribed in FIG. 22, as long as the system has a means for knowing thatan event occurred. Alternatively, an access system event can be detectedusing specific monitors or sensors.

[0245] In step 1870 of FIG. 48, Web Gate 28 reads audit mask 503 fromresource cache 502 in response to an authentication or authorizationresult. If audit mask 503 indicates that the event is not audited (step1872), then the method is done (step 1874). If the event is to beaudited (step 1872), then Web Gate 28 passes retainer 505 to auditingmodule 544, thus identifying the applicable policy domain and/or policyfor auditing. In step 1878, auditing module 544 reads the audit ruleassociated with the requested resource from audit rule cache 574. In oneembodiment, the audit rule read in step 1878 will be a first level(default) audit rule, a second level (specific) audit rule, or a masteraudit rule applicable to all resources when neither a first or secondlevel audit rule is found. In step 1880, auditing module 544 logsinformation specified by the found audit rule into one or more auditlogs 546. In one embodiment of the present invention, Access Server 34informs auditing module 544 of authentication and authorization eventsto be logged, thus, allowing auditing module 544 to perform steps 1878and 1880 directly in response to an authentication or authorizationresult, rather than waiting to be prompted by Web Gate 28.

[0246]FIG. 49 provides a flow chart of a method for loading audit rules(see step 846 of FIG. 23). In step 1900, Access Server 34 loads thedefault audit rule for the policy domain mapped in step 836 of FIG. 23from Directory Server 36 into audit rule cache 574. Access Server 34then selects a rule in array 565 (step 1902) and determines whether theselected rule is a specific audit rule for a policy associated with therequested resource, by using the method of FIG. 26 previously describedabove (step 1904). If the resource is part of the policy, then AccessServer 34 proceeds to step 1912. Otherwise, Access Server 34 determineswhether all rules in array 565 have been considered (step 1906). If not,then Access Server 34 selects the next rule in array 565 (step 1908),and returns to step 1904. Once all rules in array 565 have beenconsidered (step 1906), Access Server 34 proceeds to step 1912. If asecond level authentication rule was found for the requested resource instep 1904, then authentication module 540 caches the second level auditrule in audit rule cache 574 (step 1912) and proceeds to step 1914. Instep 1914, Access Server 34 prepares audit mask 503, identifying theauthentication and authorization events to be logged (audited) byauditing module 544 in accordance with the second level audit rule. If asecond level audit rule was not found (step 1910), then the first levelaudit rule previously loaded in step 1484 remains in audit rule cache574, and Access Server 34 prepares audit mask 503 using the first levelaudit rule. Thus, when the method of FIG. 49 is done, only one auditrule for the requested resource will remain in audit rule cache 574.

[0247]FIG. 50 depicts one embodiment of components used to detectattempted intrusions. The attempted intrusions can be inadvertent ormalicious. The goal is to detect attempted intrusions of the accesssystem, which includes the protected resources. FIG. 50 shows audit logs546 which can be one or more logs for logging various events. Forexample, there could be one log for logging authentication failureevents, one log for logging authorization failure events, etc.Alternatively, there could be one log for logging multiple types ofevents. In one embodiment, for each log, or each type of event, an auditlog sensor 548 monitors the type of event occurring. For example, in oneembodiment there is an authentication failure sensor and anauthorization failure sensor. If other events are monitored, there canbe a sensor for each of the other events. When an authorization failureevent occurs and a log entry is added to audit log 546 for the event,the authorization failure sensor will make a copy of the log entry andsend it to database server 1934. Each of the audit log sensors 548 willsend copies of log entries they detect to database server 1934. In oneembodiment, database server 1934 includes an SQL database for storingall of the received log entries. Periodically, database server 1934sends a set of log entries to security server 1936. In one embodiment,database server 1934 is stored within the local system of FIG. 1 andsecurity server 1936 is located offsite. In one embodiment, databaseserver 1934 is not provided and the various log sensors send their logentries directly to security server 1936. As discussed above, the auditlog entries are fully configurable. The log entries sent by the sensorscan be exact duplicates of the log entries in the audit logs or they canbe reformatted versions or versions that store only a subset of theoriginal information.

[0248]FIG. 51 provides a flow chart describing the operation of thecomponents depicted in FIG. 50. In step 1950, an event is logged. Thesystem is fully configurable to allow the sensors to monitor all or asubset of events being logged. The events being monitored by sensors 548are denoted as registered events. For example, in one embodiment, thesystem logs all authentication failure, authentication success,authorization failure and authorization success events, while sensors548 monitor only authentication failure and authorization failureevents. In step 1952, it is determined whether the logged event is aregistered event. If not, the method of FIG. 51 is done (step 1964). Ifit is a registered event, then in step 1954 the sensor accessesinstructions for the event type. For each event type being monitored bya sensor, the system is configurable to perform any action specified bythe administrator. For example, in one embodiment, an action will be tosend the log entry to a database server. In another embodiment theaction will also include adding information to the log entry such asinformation from a user identity profile, login information, time, date,etc. In step 1956, sensor 548 accesses the log entry and performsinstructions for the event type to the log entry in step 1958. Asdiscussed above, one exemplar instruction requests that the sensor sendsthe log entry to either database server 1934 or security server 1936. Ifthe sensor is instructed to send the log entry to database server 1934,then database server 1934 receives and stores the log entry in step1960. In step 1962, database server 1934 will periodically send all or asubset of the log entries to security server 1936.

[0249]FIG. 52 is a flow chart describing the operation of securityserver 1936. In step 1980, security server 1936 receives a log entry.Step 1980 could include receiving a particular log entry directly from asensor 548 or receiving a set of log entries from database server 1934.In step 1982, the log entries are stored at security server 1936. Instep 1984, a rules engine is run on a set of stored log entries. The logentries used in step 1984 could include the newest set of log entriesand, optionally, previous log entries going back historically as neededby the rules engine. The rules engine can look for any particularpattern of events. In one embodiment, the steps of FIGS. 51 and 52 areused to detect one or more attempts of intrusion of the system. Forintrusion detection, the rules engine looks for patterns over time of anentity attempting to wrongfully access resources in the system ofFIG. 1. In such a case, various patterns can be detected. For example,the rules engine may look for three authorization failures for the sameentity or three authentication failures with the same login name orpassword. Security server 1936 correlates events over time to identifypersons or actions that constitute security breaches or attemptedsecurity breaches.

[0250]FIG. 53 provides a flow chart detailing the steps performed byAccess Manager 40 for flushing and synchronizing caches of Web Gate 28and Access Server 34 in accordance with the present invention. If achange is made (by an administrator, user, or otherwise) to a policydomain or a policy stored on Directory Server 36, any affected firstlevel or second level rules cached in the respective caches of Web Gate28 and Access Server 34 will become stale data. Similarly, if a changeis made to user identity profiles 102 or revoked user list 108 onDirectory Server 36, previously cached versions of the changed data willbecome stale. Accordingly, the respective caches of Web Gate 28 andAccess Server 34 must be flushed to prevent Web Gate 28, Access Server34, User Manager 38, Access Manager 40, or System Console 42 from usingthe stale data.

[0251] In step 2010, Access Manager 40 detects a change to data storedon Directory Server 26. In step 2012, Access Manager 40 reads theprevious Global Sequence Number (GSN) 112 stored on directory server 36.In step 2014, Access Manager 40 assigns a current GSN to the changedetected in step 2010. In one embodiment of the present invention, thecurrent GSN is the next sequential number after the previous GSN 112. Instep 2016, Access Manager 40 stores the current GSN on Directory Server36, replacing the previous GSN 112. In step 2018, Access Manager 40generates a synchronization (sync) record to facilitate cache flushing.In step 2020, Access Manager 40 passes a cache flush request and thenewly generated synchronization record to each Access Server 34.

[0252]FIG. 54 provides a block diagram of a synchronization record inaccordance with the present invention. Synchronization record 2040includes the current GSN 2042 assigned to the change detected instep2010 of FIG. 53. Synchronization record 2040 also includes IDs 2044,which identify the data affected by the detected change, such as thepolicy domain, first level rules, policy, second level rules, etc.Synchronization record 2040 also indicates what type of change 2046 wasdetected (e.g. whether it be an addition, modification, or deletion).Time 2048 is also stored, indicating the time at which the change wasdetected in step 2010.

[0253]FIG. 55 provides a flow chart detailing steps performed by AccessServer 34 in response to receiving a synchronization record 2040 fromAccess Manager 40. In step 2060, Access Server 34 receives asynchronization record and flush request. Access Server 34 updates itsstored GSN by replacing the stored GSN with the synchronization recordGSN (step 2066). In step 2068, Access Server 34 then flushes the cachedinformation identified by elements 2044, 2046, and 2048 ofsynchronization record 2040. Access Server 34 then storessynchronization record 2040 on Access Server 34 (step 2070).

[0254]FIG. 56 provides a flow chart detailing the steps performed by WebGate 28 for flushing and synchronizing its caches in accordance with thepresent invention. In step 2100, Web Gate 28 issues a request to AccessServer 34. Upon serving the request, Access Server 34 returns the valueof its stored GSN 554 (step 2102) to Web Gate 28. Web Gate 28 comparesthe GSN 544 returned in step 2102 with GSN 510 stored by Web Gate 28(step 2104). Web Gate 28 requests all synchronization records 550 storedon Access Server 34 having GSN's greater than GSN 510 stored on Web Gate28 or appearing in sync record table 518. Web Gate 28 flushes datahaving ID's 2044 (specified in synchronization record 2040 received fromAccess Server 34) from its caches (step 2110). In step 2112, Web Gate 28updates its GSN 510 to equal GSN 554 stored on Access Server 34 (step2112). In one embodiment, Web Gate 28 maintains a sync record table 518that identifies all sync records that have not yet been processed by WebGate 28. For example, a sync record will remain unprocessed if itstransmission to Web Gate 28 from Access Server 34 is delayed. In step2114, Web Gate 28 updates table 518 by removing entries forsynchronization records processed in step 2110.

[0255]FIG. 57 provides a flow chart describing the process of testingaccess to resources using the system of FIG. 1. Access Manager 40includes an Access Tester process. The Access Tester allows anadministrator, or any other authorized user, to determine who or whatentities may access a resource under the current access criteria,whether a particular individual or set of individuals have access to aresource under certain conditions and whether the first level and secondlevel rules, policies or policy domains associated with a resourceoperate as intended. In one embodiment, an administrator accesses theAccess Tester using a GUI on Access Server 40. In one implementation,the system tests access to a resource without actually authenticating orauthorizing access to the resource. Thus, the system is testing asuccessfully authenticated user's access to the resource. In step 2260,the administrator enters a URL (or other identities) for a resource tobe tested. In one alternative, multiple URLs can be entered so that thetest is performed for multiple resources. In another alternative, theadministrator can select to test for all possible resources so that theAccess Tester will determine which resources are available to the usersidentified for the test. In step 2262, the administrator selects theHTTP request methods that the administrator wants to test. If no HTTPrequest methods are entered, the system will test all HTTP requestmethods. Protocols other than HTTP can also be used. In accordance withthe present invention other protocols besides HTTP can be used. If theadministrator wants to know if a particular computer can access theresource, the administrator can enter the computer's IP address in step2264. If no IP address is entered in step 2264, then the test will notbe limited to any particular computer.

[0256] In step 2266 of FIG. 57, the administrator can enter date andtime restrictions. In one embodiment, the administrator can indicatethat any time and day can be used so that the timing and daterestrictions do not restrict the test. Alternatively, the administratorcan enter a specific time and/or date for testing. The date and timeinformation can identify a specific date and time or ranges of dates andtimes. As discussed above, policies can be configured to allow certainaccess by users at certain times on certain dates. In step 2268, theadministrator selects which users to test access for. The administratorcan request testing for all possible users or subsets thereof. If theuser desires to test for selected users, the administrator can identifyindividual users. Alternatively, the administrator can use filters,rules, or roles to identify subsets of users. Testing for all usersallows an administrator to see which users have access to a particularresource. Steps 2260-2268 are information gathering steps. In oneembodiment, they are performed by having an administrator enterinformation into Access Manager 40. In other embodiments, thisinformation is provided to the Access Tester via a file, a softwareprocess, information exchange protocols such as XML, etc.

[0257] Steps 2270-2282 are performed by the Access Tester in order totest access to the resource in question. In step 2270, the policy domainis identified for the URL entered in step 2260 using the processesdescribed above. In step 2272, the system searches for a policyassociated with the URL in accordance with the processes describedabove. If more than one URL was entered in step 2260, than more than onepolicy or more than one policy domain may be identified. In step 2274,the Access Tester chooses one user from the set of users selected instep 2268 and the identity profile for the chosen user is accessed(optional). In step 2276, authorization is checked for that user. Step2276 is performed in a similar manner as described above with respect tostep 756 of FIG. 22, except that after it is determined whether the useris authorized, no log entry is created and the user is not actuallyauthorized. If a policy was found in step 2272, then the authorizationrules for the policy are used in step 2276. If no policy was found instep 2272, then the default authorization rules for the policy domainare used in step 2276. The information from steps 2262, 2264, and 2266,and the user's identity profile (optional) are used to determine whetherthe one or more applicable authorization rules are satisfied. If theyare satisfied, then it is determined that the particular user isauthorized to access the resource under the conditions entered in steps2260-2268. In step 2278, it is determined whether there are more usersfrom the set of users identified in step 2268. If there are more users,another user is chosen in step 2280 and the identity profile for thatuser is accessed. After step 2280, the method loops back to step 2276.If there are no more users to consider (step 2278), then the results aredisplayed in step 2282.

[0258] In one embodiment, the method of displaying and/or the contentsof the results in step 2282 are configurable. For example, theadministrator can select whether the matching policy domain, policyand/or matching rules should be displayed. One embodiment of step 2282includes displaying a table (not shown) in a GUI listing all users. Foreach user, the table displays the URL in question, the request methodtested, the policy domain, the policy, the authorization rules, date andtime information, IP address information, and an indication of whetherthe user is authorized to access the resource. In one embodiment, only aconfigurable subset of this information is displayed. It is possiblethat a user may have multiple entries in the result table, for example,when the date and timing information results in access grants at sometimes and access denials at other times. The results table allows anadministrator to determine whether the policies created for a particularresource or set of resources are appropriate. In addition, theadministrator can use the Access Tester to determine whether specificusers have appropriate access rights. The Access Tester quickly allowsan administrator to verify authorization rules created for particularpolicy domains and/or policies. In alternative embodiments of step 2282,the results are reported in a file, in XML, on a printer, using voice,etc. In one embodiment, the results reported could include an indicationthat access is granted, access is denied, there is redirection to adifferent resource or it is undetermined (e.g. a custom authorizationplug-in cannot be loaded).

[0259] Various alternatives to the above described embodiments are alsowithin the spirit of the present invention. For example, in oneembodiment, the system of FIG. 1 can include a separate Identity Serverwhich will perform many (or all) of the tasks associated with managingthe Identity System. In one embodiment, such an Identity Server wouldinclude a Publisher, a User Manager, a Group Manager and an OrganizationManager.

[0260] The Publisher is an application that lets a user publishLDAP-based directory information about users, reporting structures,departments, offices and other resources stored in enterprisedirectories. The User Manager is responsible for password management,certificate management, and delegation administration of user identityprofiles. For example, the User Manager can create and delete users,roles, rights and credentials.

[0261] The Group Manager manages groups. When a company is setting up anExtranet/Internet or ASP services, the company will need to provide onlycertain groups of people with access to the application/resources thatthey are making available. The entities in a group can be determined byspecifically adding a person or group, or by identifying a specificattribute or value in user identity profiles. Companies can use thesemethods to use roles/rights management, or to grant/deny access to theapplications that they will need. The Group Manager will manage thisgroup functionality, including supporting multiple types of groups,managing group ownership, group membership, group administration, etc.

[0262] The Organization Manager is used to manage organizations. Whencompanies are dealing with outside partners, suppliers, or otherorganizations (internal or external), the companies need a way to managethose organizations including creating the entity, modifying it ordeleting it. There are three fundamental data structures that are usedto organize directory data in the directory server: (1) User objects forthe actual information about the user; (2) group objects for collectionsof users; and (3) organization objects, which are containers for user,group and other organization objects. Organizations can be created andremoved from the system. Additionally, organizations can be managed by amanager, self managed, or managed in a delegated fashion.

[0263] The system can also be implemented with multiple IdentityServers. Each Identity Server will have its own cache or set of caches.In one scenario, if one of the Identity Servers change it cache, it willcommunicate to the others to flush their cache.

[0264] Another alternative embodiment will include Public KeyInfrastructure (PKI) integration. By deploying PKI, customers can issuecertificates to various users. PKI is a key technology for enablinge-business and e-commerce by making transactions and interactions thatare more secure between companies and across the Internet.

[0265] Another embodiment includes Pre and Post Processing (PPP). PPPserver-side hooks allow customers to extend the business logic of theIdentity Systems by communicating with other systems before and after anevent happens in the Identity System (or Access System). Customers canhook shared libraries, Pearl scripts or any other applications that canbe called from specific well defined points in the processing logic ofthe application. As an example, during the user creation work flowprocess, a customer might want to call out to another system thatcreates an account for a user and provides information that should bestored in the user identity profile. As part of the call out,information can be returned to the Identity System. PPP can be used toperform data validation and password management. PPP could also be usedas a notification engine (e.g. when a given action occurs, send anemail).

[0266] In one embodiment, the system is implemented as a three-tierarchitecture. This allows the Identity System to be placed behind afirewall, while the only component exposed outside the firewall (or inthe DMZ) is a Web Server with a Web Pass plug-in. The Web Pass plug-inis a plug-in for the Web Server that communicates with the IdentityServer. The Web Pass Plug-in is analogous to the Web Gate for the accesssystem. This allows customers to run the system with enhanced securityand provides another point to do fail over, load balance and utilizeredundant servers.

[0267] In another embodiment, the system of FIG. 1 can accept input inXML format and provide output in XML format. Additionally, the systemwill make use of XML remote procedure calls (RPC).

[0268] In an alternative implementation, the system could attempt tovalidate data on input. If a user or application enters data into thesystem that is outside predefined constraints, the data will berejected.

[0269] In another embodiment, Access System authentication policies andschemes can be used by third party applications through an API. Forexample, the API allows third party developers to create clients toperform authentication while running on application servers.Authenticated user sessions can be shared among application components,allowing creation of session tokens compatible with Access Systemcookies and re-creation of user sessions from session tokens importedfrom Web Gates or other components. In one embodiment, Java servlets,Enterprise Java Beans (EJB's), and standalone Java, C++, and C programsare supported.

[0270] In one variation, Access System authorization rules and actionscan be created by third party developers through an API. In oneembodiment, these custom authorization rules and actions are programmedin C code. In another embodiment, custom authorization rules and actionscan reside in an Access System with pre-existing authorization rules andactions.

[0271] In another embodiment, “affiliate” Web Gates are installed onremote Web Servers to provide single sign-on authentication acrossmultiple organizations. The affiliate Web Gates can access Web Gates ofthe Access System, but cannot directly communicate with Access Server34. For example, a first company may maintain a web site protected by anAccess System in accordance with the present invention. If the firstcompany agrees to allow customers of a second company to access a subsetof resources on the first company's web site, an affiliate Web Gate willbe installed on the second company's web server. When a customer of thesecond company requests resources from this subset, the affiliate WebGate will request a Web Gate of the Access System to authenticate thecustomer. The Access System Web Gate will return a successful orunsuccessful authentication result to the affiliate Web Gate.

[0272]FIG. 4, above, shows a hierarchical directory structure. Otherdata structures can also be used. One example of a suitable alternativeis a flat data structure that does not include a hierarchy. Anothersuitable example includes a fat tree, which is a hierarchy that has fewlevels and each level is wide (a lot of nodes). One additional featurethat can be used with various data structures is the implementation of avariable search base. In some embodiments, a user can access the entirehierarchy, subject to access rules and localized access filters. Inother embodiments, users will be limited to only accessing portions ofthe hierarchy. For example, the system can be set up so that usersunderneath a particular node in the hierarchy can only access othernodes below that particular node. This restriction on access is donebefore applying any access criteria and localized access filters, andcan be thought of as restricting the search base. In effect, the toproot of the hierarchy can then vary on aper user or group basis.

[0273] Another alternative embodiment for the Identity System is allowthe flow of managing user identity profiles to be configurable so thatthey can match the procedures of the company or entity.

[0274] Policy domain information and policy information can be storedwith a resource, with a resource's information in the directory serveror in a location on the directory server (or elsewhere)for storing setsof policy domain information and policy information. Additionally, theabove described system can work with one directory server or multipledirectory servers.

[0275] The foregoing detailed description of the invention has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen in order tobest explain the principles of the invention and its practicalapplication to thereby enable others skilled in the art to best utilizethe invention in various embodiments and with various modifications asare suited to the particular use contemplated. It is intended that thescope of the invention be defined by the claims appended hereto.

I claim:
 1. A method for testing access to a resource available on anetwork, comprising the steps of: receiving access information; testingwhether said resource is authorized for use based on said accessinformation without granting authorization to said resource; andreporting whether said resource is authorized for use based on said stepof testing.
 2. A method according to claim 1, wherein: said step ofreceiving access information includes receiving said access informationfrom a user interface.
 3. A method according to claim 1, wherein: saidaccess information is capable of including an identification of saidresource, identification information for one or more entities, one ormore request methods, an address of a device, date information and timeinformation.
 4. A method according to claim 1, wherein: said accessinformation includes an identification of one or more entities; saididentification of one or more entities includes a user name; and saidstep of testing includes determining whether an entity associated withsaid user name can access said resource.
 5. A method according to claim1, wherein: said access information includes an identification of one ormore entities; said identification of one or more entities includes auser role; and said step of testing includes determining whether a setof one or more entities satisfying said role can access said resource.6. A method according to claim 1, wherein: said access informationincludes an identification of one or more entities; said identificationof one or more entities includes a rule; and said step of testingincludes determining whether a set of one or more entities satisfyingsaid rule can access said resource.
 7. A method according to claim 1,wherein: said access information includes timing information.
 8. Amethod according to claim 7, wherein: said timing information includes atime range; and said step of testing includes determining whether a setof entities can access said resource within said time range.
 9. A methodaccording to claim 7, wherein: said timing information includes a daterange; and said step of testing includes determining whether a set ofentities can access said resource within said date range.
 10. A methodaccording to claim 1, wherein: said access information includes anaddress of a device; and said step of testing includes determiningwhether an entity using said device can access said resource.
 11. Amethod according to claim 1, wherein: said access information includesan access request method; and said step of testing includes determiningwhether an entity can access said resource using said access requestmethod.
 12. A method according to claim 1, wherein: said accessinformation includes a URL identifying said resource.
 13. A methodaccording to claim 1, wherein: said access information includes anidentification of a set of entities; and said step of testing includesthe steps of: (a) selecting an entity, (b) checking authorization forsaid entity, and (c) repeating steps (a) and (b) for each remainingentity in said set of entities.
 14. A method according to claim 1,wherein: said access information includes an identification of saidresource and does not include an identification of any entities; andsaid step of testing determines which entities can access said resource.15. A method according to claim 1, wherein: said access informationincludes an identification of an entity and does not include anidentification of any resources; and said step of testing includesdetermining which resources can be accesses by said entity.
 16. A methodaccording to claim 1, wherein: said access information includesinformation for identifying a first user; and said step of testingincludes the steps of: accessing an identity profile for said firstuser, and comparing information in said identity profile toauthorization criteria for said resource to determine whether said.first user is authorized to access said resource.
 17. A method accordingto claim 1, wherein: said step of testing includes determining whetheran authorization rule is satisfied.
 18. A method according to claim 17,wherein: said access information includes information for identifying aset of one or more entities; said authorization rule includes rolecriteria; and said step of determining whether an authorization rule issatisfied includes evaluating whether said set of one or more entitiesmeet said role criteria.
 19. A method according to claim 17, wherein:said access information includes information for identifying a set ofone or more entities; said authorization rule includes rule criteria;and said step of determining whether an authorization rule is satisfiedincludes evaluating whether said set of one or more entities meet saidrule criteria.
 20. A method according to claim 1, wherein: said step ofreporting is user configurable so that a user an provide an indicationof whether to display one or more authorization rules.
 21. A methodaccording to claim 1, wherein: said step of reporting includesdisplaying first information indicating that a first user can access afirst resource at a first time and second information indicating thatsaid first user cannot access said first resource at a second time. 22.A method according to claim 1, wherein sad step of testing includes thesteps of: searching for a specific authorization rule; determiningauthorization using said specific rule if said specific rule is found;and determining authorization using a default rule if said specific ruleis not found.
 23. A method according to claim 1, wherein said step oftesting includes the steps of: identifying a policy domain; searchingfor a policy; determining authorization using a default rule for saidpolicy domain if no policy is found; and determining authorization usinga specific rule for said policy if said policy is found.
 24. One or moreprocessor readable storage devices having processor readable codeembodied on said processor readable storage devices, said processorreadable code for programming one or more processors to perform amethod, comprising the steps of: receiving access information; andtesting whether a resource is authorized for use based on said step oftesting.
 25. One or more processor readable storage devices according toclaim 24, wherein said processor readable code includes: a userinterface console; an access tester; and an authorization module. 26.One or more processor readable storage devices according to claim 24,wherein: said access information is capable of including anidentification of said resource, identification information for one ormore entities, one or more request methods, an address of a device, dateinformation and time information.
 27. One or more processor readablestorage devices according to claim 24, wherein: said access informationincludes an identification of one or more entities; said identificationof one or more entities includes a user role; and said step of testingincludes determining whether a set of one or more entities satisfyingsaid role can access said resource.
 28. One or more processor readablestorage devices according to claim 24, wherein: said access informationincludes an identification of one or more entities; said identificationof one or more entities includes a rule; and said step of testingincludes determining whether a set of one or more entities satisfyingsaid rule can access said resource.
 29. One or more processor readablestorage devices according to claim 24, wherein: said access informationincludes timing information; said timing information includes a timerange; and said step of testing includes determining whether a set ofentities can access said resource within said time range.
 30. One ormore processor readable storage devices according to claim 24, wherein:said access information includes an access request method; and said stepof testing includes determining whether an entity can access saidresource using said access request method.
 31. One or more processorreadable storage devices according to claim 24, wherein: said accessinformation includes information for identifying a first user; and saidstep of testing includes the steps of: accessing an identity profile forsaid first user, and comparing information in said identity profile toauthorization criteria for said resource to determine whether said.first user is authorized to access said resource.
 32. One or moreprocessor readable storage devices according to claim 24, wherein: saidstep of testing includes determining whether an authorization rule issatisfied; said access information includes information for identifyinga set of one or more entities; said authorization rule includes rulecriteria; and said step of determining whether an authorization rule issatisfied includes evaluating whether said set of one or more entitiesmeet said rule criteria.
 33. One or more processor readable storagedevices according to claim 24, wherein said step of testing includes thesteps of: searching for a specific authorization rule; determiningauthorization using said specific rule if said specific rule is found;and determining authorization using a default rule if said specific ruleis not found.
 34. One or more processor readable storage devicesaccording to claim 24, wherein said step of testing includes the stepsof: identifying a policy domain; searching for a policy; determiningauthorization using a default rule for said policy domain if no policyis found; and determining authorization using a specific rule for saidpolicy if said policy is found.
 35. An apparatus, comprising: acommunication interface; one or more storage devices; and one or moreprocessors in communication with said one or more storage devices andsaid communication interface, said one or more processors programmed topreform a method comprising the steps of: receiving access information,and testing whether a resource is authorized for use based on said stepof testing.
 36. An apparatus according to claim 35, wherein: said accessinformation is capable of including an identification of said resource,identification information for one or more entities, one or more requestmethods, an address of a device, date information and time information.37. An apparatus according to claim 35, wherein: said access informationincludes an identification of one or more entities; said identificationof one or more entities includes a user role; and said step of testingincludes determining whether a set of one or more entities satisfyingsaid role can access said resource.
 38. An apparatus according to claim35, wherein: said access information includes an identification of oneor more entities; said identification of one or more entities includes arule; and said step of testing includes determining whether a set of oneor more entities satisfying said rule can access said resource.
 39. Anapparatus according to claim 35, wherein: said access informationincludes timing information; said timing information includes a timerange; and said step of testing includes determining whether a set ofentities can access said resource within said time range.
 40. Anapparatus according to claim 35, wherein: said access informationincludes an access request method; and said step of testing includesdetermining whether an entity can access said resource using said accessrequest method.
 41. An apparatus according to claim 35, wherein: saidaccess information includes information for identifying a first user;and said step of testing includes the steps of: accessing an identityprofile for said first user, and comparing information in said identityprofile to authorization criteria for said resource to determine whethersaid. first user is authorized to access said resource.
 42. An apparatusaccording to claim 35, wherein said step of testing includes the stepsof: identifying a policy domain; searching for a policy; determiningauthorization using a default rule for said policy domain if no policyis found; and determining authorization using a specific rule for saidpolicy if said policy is found.